Create a local VPN Broker Gateway element for VPN Broker high availability

In each NGFW Manager, create one VPN Broker Gateway element to represent the local VPN Broker gateway.

Steps

  1. Browse to SD-WAN > VPN Broker > VPN Broker Gateway.


  2. Click New, then select VPN Broker Gateway.
  3. Add a row in one of the following ways:
    • Click > Add VPN Endpoint to add the first row.
    • Click > New > VPN Broker Endpoint Before to add a row above the selected row.
    • Click > New > VPN Broker Endpoint After to add a row below the selected row.
  4. Configure the settings, then click Save.

Example

Fields marked with an asterisk are mandatory.

Table 1. VPN Broker Gateway properties
Option Definition

Endpoints table

To edit the contents of a cell, click the cell.

Click > New > VPN Broker Endpoint Before or > New > VPN Broker Endpoint After to add a row.
Info You can enter a name and a comment for the endpoint.
Endpoint Address Select NGFW Engine IP Address, select Static Address, then select an element from the Static IP Address folder that represents the interface to use for the endpoint. Type part of the name of an element or browse through the drop-down list to select an element.
Endpoint Class

Select a default system Connectivity Type element that has the appropriate mode selected. Type part of the name of an element or browse through the drop-down list to select an element.

The following system Connectivity Type elements are available:

  • Active — The link is always used. If there are multiple links in Active mode between the Gateways, the VPN traffic is load-balanced between the links based on the load of the links. VPN traffic is directed to the link that has the lowest load.
  • Aggregate — The link is always used, and each VPN connection is load-balanced in round-robin fashion between all the links that are in Aggregate mode. For example, if there are two links in Aggregate mode, a new VPN connection is directed to both links.
  • Standby — The link is used only when all Active or Aggregate mode links are unusable.
Enabled When selected, the endpoint is enabled. You can temporarily disable the endpoint without deleting it.
Used for Client Gateways When Yes is selected, VPN Broker members can communicate using the endpoint.

If there is an intermediate NAT device between this VPN Broker and VPN Broker members, add a contact address.
Used for Broker Servers

When Yes is selected, other VPN Broker gateways can communicate using the endpoint.

If there is an intermediate NAT device between this VPN Broker and other VPN Broker gateways, add a contact address.
VPN Broker Gateway ID

Enter a unique ID number for the VPN Broker Gateway as an integer. The allowed range is 1–255.

Note: In the NGFW Manager, you enter the VPN Broker Gateway ID as a decimal number. However, the ID is converted internally to a hexadecimal number. For example, an ID of 10 is converted to 0A in the MAC address of the VPN Broker Gateway. The allowed range in hexadecimal numbers is 1–FF.

When a log entry is generated, the SMC uses this value to identify the VPN Broker that generated the log entry.

Tip: We recommend that you make a note of the VPN Broker Gateway ID for each VPN Broker Gateway.

Next steps

Create External VPN Broker Gateway elements to represent all remote VPN Broker gateways.