Concept Guide

Table Of Contents
656| pan-options Dell Networking W-Series ArubaOS 6.5.x| Reference Guide
Figure 1 Branch-office Controller and PAN Firewall Integration
Configuration Prerequisites
The Palo Alto Networks Large-Scale VPN (LSVPN)framework can integrate with a branch-office controller by
establishing an IPsec tunnels between the firewall and the controller. Integrating a Palo Alto Networks firewall
with a W-7000 Series controller requires that all user traffic is routed, so it can be managed by a policy-based
routing access control list. If PAN gateways are deployed across multiple datacenters, PAN devices must have a
public IP or be behind a single NAT device so that reverse traffic comes back to the correct PAN gateway.
The following certificate requirements must be fulfilled before the cloud services controller can integrate with
the Palo Alto Networks Large-Scale VPN (LSVPN) framework:
l The CA certificate used by the firewall portal must be installed on the master controller, so that it can be
pushed down to the branch controllers.
l On the gateway devices, the accept published routes option must be enabled, and the devices must
install the server certificates derived from the management portal root CA.
In deployments with multiple PAN firewalls, the PAN management portal needs to be configured with a list of
gateways and the priorities for each gateway. Even if the PAN management portal uses serial number
registration with preregistered serial numbers or MAC addresses, best practices is to configure LDAP, Radius,
Kerberos or Local Database authentication as well. This allows a controller to authenticate to the portal even if
the portal does not recognize the controller's MAC address.
Examples
(host) (config)# pan-options
(host) (Configure Palo Alto Network options)# portal 192.0.2.3 cert MyServerCert