Users Guide

Figure 45 Palo Alto Networks Active Satellites List
.
5. The branch controller uses the Palo Alto Networks gateway list and credentials from the portal to contact all
PAN gateways. Each PAN gateway sends the branch controller information that allows the branch controller
to automatically create a secure IPsec tunnel and exchange branch subnet routes with each PAN gateway.
6. The branch controller maintains a priority list of IPsec tunels to each PAN gateway to enable failover in the3
event a PAN gateway becomes unreachable.
7. Policy-based routing access control lists (ACLs) on the branch controller selectively routes traffic to the PAN
gateways.
8. Traffic redirected from the branch controller is inspected via the Palo Alto Networks firewall.
Configuration Prerequisites
The Palo Alto Networks LSVPNframework can integrate with a branch controller by establishing an IPsec
tunnels between the firewall and the controller. Integrating a Palo Alto Networks firewall with a W-7000
Seriescontroller requires that all user traffic is routed, so it can be managed by a policy-based routing access
control list.
The following certificate requirements must be fulfilled before the branch controller can integrate with the Palo
Alto Networks Large-Scale VPN (LSVPN) framework:
l the LSVPN framework must be installed and active on your network. For more information on configuring
Palo Alto Networks products, refer to the Palo Alto Networks Technical Documentation portal.
l The CA certificate used by the Palo Alto portal must be installed on the master controller, so that it can be
pushed down to the branch controllers.
l On the PAN gateway devices, you must enable the accept published routes option, and the devices must
install the server certificates derived from the management portal root CA.
In deployments with multiple PAN firewalls, you must configure the PAN management portal with a list of
gateways and the priorities for each PAN gateway. Even if the PAN management portal uses serial number
registration with preregistered serial numbers or MAC addresses, best practice is to configure LDAP, Radius,
Kerberos or Local Database authentication as well. This allows a controller to authenticate to the portal even if
the portal does not recognize the controller's MAC address.
For details on configuring this feature using the Smart Config WebUI, see WAN Configuration on page 317.
Dell Networking W-Series ArubaOS 6.4.x | User Guide BranchController Config for Controllers | 294