Describes how to configure a Non SD-WAN Destination of type Palo Alto in SD-WAN Orchestrator.

Procedure

  1. From the navigation panel in the SD-WAN Orchestrator, go to Configure > Network Services.
    The Services screen appears.
  2. In the Non SD-WAN Destinations via Gateway area, click the New button.
    The New Non SD-WAN Destinations via Gateway dialog box appears.
  3. In the Name text box, enter the name for the Non SD-WAN Destination.
  4. From the Type drop-down menu, select Palo Alto.
  5. Enter the IP address for the Primary VPN Gateway, and click Next.
    A Non SD-WAN Destination of type Palo Alto is created and a dialog box for your Non SD-WAN Destination appears.
  6. To configure tunnel settings for the Non SD-WAN Destination’s Primary VPN Gateway, click the Advanced button.
  7. In the Primary VPN Gateway area, you can configure the following tunnel settings:
    Field Description
    PSK The Pre-Shared Key (PSK), which is the security key for authentication across the tunnel. The Orchestrator generates a PSK by default. If you want to use your own PSK or password then you can enter it in the textbox.
    Encryption Select either AES 128 or AES 256 as the AES algorithms key size to encrypt data. The default value is AES 128.
    DH Group Select the Diffie-Hellman (DH) Group algorithm to be used when exchanging a pre-shared key. The DH Group sets the strength of the algorithm in bits. The supported DH Groups are 2, 5, and 14. It is recommended to use DH Group 14.
    PFS Select the Perfect Forward Secrecy (PFS) level for additional security. The supported PFS levels are 2 and 5. The default value is 2.
  8. If you want to create a Secondary VPN Gateway for this site, then click the Add button next to Secondary VPN Gateway. In the pop-up window, enter the IP address of the Secondary VPN Gateway and click Save Changes.

    The Secondary VPN Gateway will be created immediately for this site and will provision a VMware VPN tunnel to this Gateway.

    Note:

    For Palo Alto Non SD-WAN Destination, by default, the local authentication ID value used is SD-WAN Gateway Interface Public IP.

  9. Select the Redundant VeloCloud Cloud VPN checkbox to add redundant tunnels for each VPN Gateway.
    Any changes made to Encryption, DH Group, or PFS of Primary VPN Gateway will also be applied to the redundant VPN tunnels, if configured. After modifying the tunnel settings of the Primary VPN Gateway, save the changes and then click View IKE/IPSec Template to view the updated tunnel configuration.
  10. Click the Update location link to set the location for the configured Non SD-WAN Destination. The latitude and longitude details are used to determine the best Edge or Gateway to connect to in the network.
  11. Under Site Subnets, you can add subnets for the Non SD-WAN Destination by clicking the + button.
  12. Check the Enable Tunnel(s) checkbox once you are ready to initiate the tunnel from the SD-WAN Gateway to the Palo Alto VPN gateways.
  13. Click Save Changes.