: SD-WAN Full Mesh VPN Cluster with DDNS Service
Focus
Focus

SD-WAN Full Mesh VPN Cluster with DDNS Service

Table of Contents
End-of-Life (EoL)

SD-WAN Full Mesh VPN Cluster with DDNS Service

High-level steps to create an SD-WAN VPN cluster that is full mesh with DDNS Service.
SD-WAN supports a full mesh topology, in addition to the hub-spoke topology. The mesh can consist of branches with or without hubs. Use full mesh when the branches need to communicate with each other directly.
If the branch firewall receives a dynamic IP address, the firewall requires Dynamic DNS (DDNS) so that a DDNS service can detect the public-facing IP address of the firewall interface that is running SD-WAN. When you push the DDNS setting to all firewalls, that notifies each firewall to register its external interface IP address with the Palo Alto Networks DDNS cloud service so that the IP address is converted to an FQDN.
DDNS is also required because the CPE device from the ISP may be performing source NAT. The DDNS service allows the firewall to register the public-facing IP address with the DDNS server. When you have devices connect for branch-to-branch mesh, Auto VPN contacts the DDNS service for those firewalls to pull their public IP addresses that are registered in the DDNS cloud and uses those public IP addresses to create the IKE peering and the VPN tunnels. If the CPE device is performing source NAT, when you add an SD-WAN branch device to be managed by Panorama, you will enable Upstream NAT and the NAT IP Address Type will be DDNS.
SD-WAN full mesh with DDNS service requires the following:
  • PAN-OS 10.0.3 or a later 10.0 release
  • SD-WAN Plugin 2.0.1 or a later 2.0 release
  • ZTP Plugin 1.0.1 or a later 1.0 release that is downloaded, installed, and configured in order to leverage the DDNS that is associated with ZTP. Panorama must be ZTP-registered and communicating with the ZTP Service.
  • All firewalls participating in full mesh DDNS must be registered under the same Customer Support Portal account.
  • All firewalls participating in full mesh DDNS must have the latest device certificate installed.
  • If you have a firewall or other network device that controls outgoing traffic positioned in front of the Palo Alto Networks firewall, you must change the configuration on that device to allow traffic from the DDNS-enabled interfaces to the following FQDNs:
    • https://myip.ngfw-ztp.paloaltonetworks.com/      (to reach whatsmyIP service)
    • https://ngfw-ztp.paloaltonetworks.com/              (to reach DDNS registration service)
  1. Install the latest device certificate for Panorama and for all managed firewalls that are hubs or branches.
  2. Install ZTP Plugin 1.0.1 to set up Zero Touch Provisioning.
  3. Install SD-WAN Plugin 2.0.1.
  4. Commit on Panorama.
  5. Log in to the Panorama Web Interface.
  6. Create the VPN Address Pool as shown in Create a VPN Cluster.
  7. Create the full mesh VPN cluster.
  8. Commit and Commit to Panorama. If your firewalls have static IP addresses, you are done. If your branch or hub firewalls in a VPN mesh have DHCP or PPPoE interfaces, you must use DDNS, so continue this procedure as follows.
  9. Select NetworkInterfacesEthernet and in the Template field, select the Template-stack for a particular branch.
  10. Select the interface whose IP address indicates Dynamic-DHCP Client or PPPOE, click Override on the bottom of the screen, and click OK to close.
  11. Verify on Panorama that the DDNS settings were configured.
  12. If the VPN cluster includes any hubs that have a DHCP or PPPoE interface, repeat Steps 9 through 11, but in the Template field, select the Template-stack for a particular hub.
  13. Commit to Panorama and Push to Devices.
  14. Verify on the branch firewall that the branch is configured with DDNS.