SD-WAN Full Mesh VPN Cluster with DDNS Service
Table of Contents
10.0 (EoL)
Expand all | Collapse all
-
- Automatic Content Updates Through Offline Panorama
- Enhanced Authentication for Dedicated Log Collectors and WildFire Appliances
- Syslog Forwarding Using Ethernet Interfaces
- Increased Configuration Size for Panorama
- Access Domain Enhancements for Multi-Tenancy
- Enhanced Performance for Panorama Query and Reporting
- Log Query Debugging
- Configurable Key Limits in Scheduled Reports
- Multiple Plugin Support for Panorama
End-of-Life (EoL)
SD-WAN Full Mesh VPN Cluster with DDNS Service
High-level steps to create an SD-WAN VPN cluster that
is full mesh with DDNS Service.
SD-WAN supports a full mesh topology, in addition
to the hub-spoke topology. The mesh can consist of branches with
or without hubs. Use full mesh when the branches need to communicate
with each other directly.
If the branch firewall receives
a dynamic IP address, the firewall requires Dynamic DNS (DDNS) so
that a DDNS service can detect the public-facing IP address of the
firewall interface that is running SD-WAN. When you push the DDNS
setting to all firewalls, that notifies each firewall to register
its external interface IP address with the Palo Alto Networks DDNS
cloud service so that the IP address is converted to an FQDN.
DDNS
is also required because the CPE device from the ISP may be performing source
NAT. The DDNS service allows the firewall to register the public-facing
IP address with the DDNS server. When you have devices connect for
branch-to-branch mesh, Auto VPN contacts the DDNS service for those
firewalls to pull their public IP addresses that are registered
in the DDNS cloud and uses those public IP addresses to create the
IKE peering and the VPN tunnels. If the CPE device is performing
source NAT, when you add an SD-WAN branch device to
be managed by Panorama, you will enable Upstream NAT and
the NAT IP Address Type will be DDNS.
SD-WAN
full mesh with DDNS service requires the following:
- PAN-OS 10.0.3 or a later 10.0 release
- SD-WAN Plugin 2.0.1 or a later 2.0 release
- ZTP Plugin 1.0.1 or a later 1.0 release that is downloaded, installed, and configured in order to leverage the DDNS that is associated with ZTP. Panorama must be ZTP-registered and communicating with the ZTP Service.
- All firewalls participating in full mesh DDNS must be registered under the same Customer Support Portal account.
- All firewalls participating in full mesh DDNS must have the latest device certificate installed.
- If you have a firewall or other network device that controls
outgoing traffic positioned in front of the Palo Alto Networks firewall,
you must change the configuration on that device to allow traffic
from the DDNS-enabled interfaces to the following FQDNs:
- https://myip.ngfw-ztp.paloaltonetworks.com/ (to reach whatsmyIP service)
- https://ngfw-ztp.paloaltonetworks.com/ (to reach DDNS registration service)
- Install the latest device certificate for Panorama and for all managed firewalls that are hubs or branches.
- Install ZTP Plugin 1.0.1 to set up Zero Touch Provisioning.
- Install SD-WAN Plugin 2.0.1.
- Commit on Panorama.
- Log in to the Panorama Web Interface.
- Create the VPN Address Pool as shown in Create a VPN Cluster.
- Create the full mesh VPN cluster.
- Commit and Commit to Panorama. If your firewalls have static IP addresses, you are done. If your branch or hub firewalls in a VPN mesh have DHCP or PPPoE interfaces, you must use DDNS, so continue this procedure as follows.
- Select NetworkInterfacesEthernet and in the Template field, select the Template-stack for a particular branch.
- Select the interface whose IP address indicates Dynamic-DHCP Client or PPPOE, click Override on the bottom of the screen, and click OK to close.
- Verify on Panorama that the DDNS settings were configured.
- If the VPN cluster includes any hubs that have a DHCP or PPPoE interface, repeat Steps 9 through 11, but in the Template field, select the Template-stack for a particular hub.
- Commit to Panorama and Push to Devices.
- Verify on the branch firewall that the branch is configured with DDNS.