Follow the below steps to configure a Non SD-WAN Destination of type Palo Alto in the SASE Orchestrator.

Procedure

  1. Once you have created a Non SD-WAN Destination configuration of the type Palo Alto, you are redirected to an additional configuration options page:
  2. You can configure the following tunnel settings:
    Option Description
    General
    Name You can edit the previously entered name for the Non SD-WAN Destination.
    Type Displays the type as Palo Alto. You cannot edit this option.
    Enable Tunnel(s) Click the toggle button to initiate the tunnel(s) from the SD-WAN Gateway to the Palo Alto VPN Gateway.
    Tunnel Mode Active/ Hot-Standby mode supports to set up a maximum of 2 tunnel endpoints or Gateways.
    Active/Activemode supports to set up a maximum of 4 tunnel endpoints or Gateways. All Active tunnels can send and receive traffic through ECMP.
    ECMP Load Sharing Method Flow Load Based (Default) Flow load based algorithm maps the new flow to the path with least number of flows mapped among the available paths to the destination.
    Hash Load Based algorithm takes input parameters from 5-tuple (SrcIP, DestIP, SrcPort, DestPort, Protocol). These inputs can be any or all or any subset of this tuple based on user configuration. Flow is mapped to the path based on hash value with selected inputs.
    VPN Gateway 1 Enter a valid IP address.
    VPN Gateway 2 Enter a valid IP address. This field is optional.
    VPN Gateway 3 Enter a valid IP address. This field is optional.
    VPN Gateway 4 Enter a valid IP address. This field is optional.
    Primary VPN Gateway
    Public IP Displays the IP address of the Primary VPN Gateway.
    PSK The Pre-Shared Key (PSK) is the security key for authentication across the tunnel. The SASE Orchestrator generates a PSK by default. If you want to use your own PSK or password, enter it in the text box.
    Encryption Select either AES-128 or AES-256 as the AES algorithm key size to encrypt data. The default value is AES-128.
    DH Group Select the Diffie-Hellman (DH) Group algorithm from the drop-down menu. This is used for generating keying material. The DH Group sets the strength of the algorithm in bits. The supported DH Groups are 2, 5, and 14. The default value is 2. It is recommended to use DH Group 14.
    PFS Select the Perfect Forward Secrecy (PFS) level for additional security. The supported PFS levels are deactivated, 2, and 5. The default value is 5.
    Redundant VMware Cloud VPN Select the check box to add redundant tunnels for each VPN Gateway. Changes made to Encryption, DH Group, or PFS of Primary VPN Gateway also apply to the redundant VPN tunnels, if configured.
    Secondary VPN Gateway Click the Add button, and then enter the IP address of the Secondary VPN Gateway. Click Save Changes.

    The Secondary VPN Gateway is immediately created for this site and provisions a VMware VPN tunnel to this Gateway.

    Sample IKE / IPsec Click to view the information needed to configure the Non SD-WAN Destination Gateway. The Gateway administrator should use this information to configure the Gateway VPN tunnel(s).
    Location Click Edit to set the location for the configured Non SD-WAN Destination. The latitude and longitude details are used to determine the best Edge or Gateway to connect to in the network.
    Site Subnets Use the toggle button to activate or deactivate the Site Subnets. Click Add to add subnets for the Non SD-WAN Destination. If you do not need subnets for the site, select the subnet and click Delete.
    Note:
    • To support the datacenter type of Non SD-WAN Destination, besides the IPsec connection, you must configure Non SD-WAN Destination local subnets into the VMware system.
    • If there are no site subnets configured, deactivate Site Subnets to activate the tunnel.
    Note:

    For Palo Alto Non SD-WAN Destination, the default local authentication ID value used is SD-WAN Gateway Interface Public IP.

  3. Click Save Changes.