Add up to 20 IP address ranges (IP network with netmask for IPv4, or IPv6 network with prefix length for IPv6) that Panorama draws from to use as VPN tunnel IP addresses. Panorama draws from the largest range first, then from the next largest range. A VPN cluster member will get its IP address from the VPN address pool (the ranges) you provide. You must configure at least one entry. The total maximum of 20 IP address ranges applies to the combination of IPv4 and IPv6 address pools.

If both IPv4 and IPv6 address pools are configured, the tunnel interface will use IPv4 addresses only. If only IPv4 address pools are configured, the tunnel interface will use IPv4 addresses. If only IPv6 address pools are configured, the tunnel interface will use IPv6 addresses.

Add up to 5 IP address ranges (IP network with netmask) that are used for local BGP address for Prisma Access loopback addresses.

Enter a Name that identifies the VPN cluster.

Select the Type of SD-WAN VPN cluster:

Add branches to associate with each other (in a full mesh cluster) or add one or more branches to associate with one or more hubs (in a hub-spoke or full mesh cluster).

In the Branches window, Group HA Peers to sequentially display branches that are HA peers.

In the Gateways window, Add one or more hubs to associate with one or more branches.

For any new or previously existing VPN cluster that has more than one hub, in the Gateways window you must prioritize the hubs to determine that traffic be sent to a particular hub and to determine the subsequent hub failover order. A cluster supports a maximum of four hubs. Select a hub and click in the Hub Failover Priority field. Enter a priority (range is 1 to 4) of the hub.

The plugin internally maps the priority to a BGP local preference value; the lower the priority value, the higher the priority and local preference.

Multiple hubs can have the same priority; an HA pair must have the same priority. Panorama uses the branch’s BGP template to push the local preference of the hubs to the branches in the cluster.

If multiple hubs in the cluster have the same priority, Panorama enables ECMP in two places on each branch firewall to determine how branches select the path. ECMP is enabled for the virtual router (NetworkVirtual RoutersECMP) and ECMP Multiple AS Support is enabled for BGP (NetworkVirtual RoutersBGPAdvanced). If all hubs in the cluster have a unique priority, ECMP is disabled on the branches.

For a particular SD-WAN hub, select Allow DIA VPN to allow the hub to participate in DIA AnyPath failover. A maximum of four hubs in a VPN cluster can participate in DIA AnyPath. If they are HA hubs, a total of eight hubs are supported. If you Allow DIA VPN for one HA peer in a pair, you must also enable it for the other HA peer.

In the Gateways window, Group HA Peers to sequentially display hubs that are HA peers.