Beginning with PAN-OS 10.0.3, SD-WAN supports a full mesh topology, in addition to the . The mesh can consist of branches with or without hubs. Use full mesh when the branches need to communicate with each other directly. Examples of use cases for full mesh include retailers that have branches and hubs, and enterprises that operate with or without hubs. Some firewall interfaces use DHCP to get their IP address. Branch offices often use a consumer-grade internet service and receive a dynamic IP address, which of course can change. For this reason, the firewalls require Dynamic DNS (DDNS) so that a DDNS service can detect the public-facing IP address of the firewall interface that is running SD-WAN. When you push the DDNS setting to all firewalls, that notifies each firewall to register its external interface IP address with the Palo Alto Networks DDNS cloud service so that the IP address is converted to an FQDN. DDNS is also required because the CPE device from the ISP may be performing source NAT. (The dynamic IP address may or may not be source-NAT translated). The DDNS service allows the firewall to register the public-facing IP address with the DDNS server. When you have devices connect for branch-to-branch mesh, Auto VPN contacts the DDNS service for those firewalls to pull their public IP addresses that are registered in the DDNS cloud and uses those public IP addresses to create the IKE peering and the VPN tunnels. If the CPE device is performing source NAT, when you to be managed by Panorama, you will enable Upstream NAT and the NAT IP Address Type will be DDNS . For the CPE device or upstream routing device using source NAT, you are responsible for creating the one-to-one destination NAT rule (with no port translation) on that device to translate the external IP address back to the private IP address assigned to the firewall’s interface. This translation allows the IKE and IPSec protocols to come back into the firewall. (Palo Alto Networks doesn’t have access rights to the upstream CPE or upstream router that is performing source NAT.) SD-WAN full mesh with DDNS service requires the following:
On another branch in the cluster, view that the Peer Address of the interface is a system-generated FQDN for the DDNS registration.
See that the Peer Address is a secure name, not easily referenced and showing no company information; for example 0101.8ced8460fcc5177cd3665ce41b6345323a15a612b8e52ec1d9ec057a582cb4.t13855f6c9a92d6[...]e18a0d96dab45dd767a230daac94408d0.dicedns.net |