Focus

Panorama SD-WAN Plugin Help

SD-WAN VPN Clusters

Table of Contents

SD-WAN VPN Clusters

Associate SD-WAN hubs and branches within a VPN cluster.

PanoramaSD-WANVPN Clusters

Associate SD-WAN branch firewalls with one or more SD-WAN hubs to enable secure communication between the branch and hub locations. When you associate branches and hubs in an SD-WAN VPN cluster, the firewall creates the required IKE and IPSec VPN connections between the sites based on the type of VPN cluster you specify.

Field	Description
VPN Address Pool
Member	(`PAN-OS 9.1.2 and later 9.1 releases, and SD-WAN Plugin 1.0.2 and later 1.0 releases`) Add up to 20 IP address ranges (IP network with netmask) that Panorama draws from to use as VPN tunnel IP addresses. Panorama draws from the largest range first, then from the next largest range. A VPN cluster member will get its IP address from the VPN address pool (the ranges) you provide. You must configure at least one entry. If you upgrade from an earlier SD-WAN plugin, you must check that the ranges in the VPN Address Pool are still correct. If not, enter new ranges. After you Commit, all tunnels will be dropped for new tunnels, so do this when cluster members are not busy.
Add
Name	Enter a Name that identifies the VPN cluster.
Type	Select the Type of SD-WAN VPN cluster: Hub Spoke—SD-WAN topology where a centralized firewall at a primary office or location acts as a gateway between branches connected using a VPN connection. Traffic between branches passes through the hub before continuing to the target branch.
Branches	Add one or more branches to associate with one or more hubs.
Group HA Peers	In the Branches window, Group HA Peers to sequentially display branches that are HA peers.
Hubs	In the Gateways window, Add one or more hubs to associate with one or more branches.
Group HA Peers	In the Gateways window, Group HA Peers to sequentially display hubs that are HA peers.
Hub Failover Priority	(`PAN-OS 9.1.4 and later 9.1 releases, and SD-WAN Plugin 1.0.4 and later 1.0 releases`) When you start with these releases, for any new or previously existing VPN cluster that has more than one hub, in the Gateways window you must prioritize the hubs to determine that traffic be sent to a particular hub and to determine the subsequent hub failover order. A cluster supports a maximum of four hubs. Select a hub and click in the Hub Failover Priority field. Enter a priority (range is 1 to 4) of the hub. If you upgrade to these releases, the default priority is set to 4. The plugin internally maps the priority to a BGP local preference value; the lower the priority value, the higher the priority and local preference. Priority 1 maps to local preference 250. Priority 2 maps to local preference 200. Priority 3 maps to local preference 150. Priority 4 maps to local preference 100. Multiple hubs can have the same priority; an HA pair must have the same priority. Panorama uses the branch’s BGP template to push the local preference of the hubs to the branches in the cluster. If multiple hubs in the cluster have the same priority, Panorama enables ECMP in two places on each branch firewall to determine how branches select the path. ECMP is enabled for the virtual router (NetworkVirtual RoutersECMP) and ECMP Multiple AS Support is enabled for BGP (NetworkVirtual RoutersBGPAdvanced). If all hubs in the cluster have a unique priority, ECMP is disabled on the branches.
Refresh IKE Key	(`PAN-OS 9.1.2 and later 9.1 releases, and SD-WAN Plugin 1.0.2 and later 1.0 releases`) Hubs and branches uses a strong, random IKE preshared key to secure VPN tunnels, and each firewall has a master key that encrypts the preshared key. You can refresh the IKE preshared key. You must Commit and Push to Devices to push the key to devices in the cluster. Refresh IKE Key when cluster members are not busy.

SD-WAN Devices

SD-WAN Monitoring