Create VPN Broker Members for VPN Broker high availability

Create VPN Broker Member elements to represent each NGFW Engine that is used in the VPN Broker configuration.

Changes that you make to the list of VPN Broker members in the primary NGFW Manager are automatically synchronized to other gateways.

Steps

  1. Browse to SD-WAN > VPN Broker > VPN Broker Member.


  2. Click .
  3. Configure the settings, then click Save.

Example

Fields marked with an asterisk in the user interface are mandatory.

Table 1. VPN Broker Member properties
Option Definition
VPN Broker Domain Select the VPN Broker Domain element that you created. Type part of the name of an element or browse through the drop-down list to select an element.
Mac Address (last three octets)

Enter a unique identifier for the VPN Broker Member as the last three octets of a MAC address.

The allowed range is 00:01:00–ff:ff:ff. Each member in the domain must have a unique identifier. When adding a VPN Broker Interface to an NGFW Engine in the SMC, use the same value that is used in the corresponding VPN Broker Member element in the NGFW Manager.

Note: The range 00:00:01– 00:00:FF is reserved for the VPN Broker Gateway element. You cannot use identifiers in this range for members in the domain.
Tip: We recommend that you make a note of the MAC addresses for each VPN Broker Member.
Note: With version 6.11, the MAC Address (last three octets) is auto-populated.
Shared Secret

Click Enter Shared Secret to enter a password. Click Change Shared Secret to change a password that has already been set.

When adding a VPN Broker Interface to an NGFW Engine in the SMC, use the same value that is used in the corresponding VPN Broker Member element in the NGFW Manager.

Tip: We recommend that you make a note of the shared secret.
IPv4 Address or IPv6 Address

Enter a member IP address that is part of the virtual network defined in the VPN Broker Domain element. You must enter an IPv4 address, an IPv6 address, or both.

Use the same kind of IP address that the VPN Broker Domain uses. For example, if the VPN Broker Domain has only IPv4 addresses, enter an IPv4 address. You can enter both an IPv4 address and an IPv6 address if the VPN Broker Domain has both IPv4 addresses and IPv6 addresses.

Tip: We recommend that you make a note of the IP addresses for each VPN Broker Member.
Note: With version 6.11, IP address validation is done and notified to the administrator.
Networks table

To edit the contents of a cell, click the cell.

Click to add the first row.

Click > New Row Before or > New Row After to add a row.
Network Select the networks that are reachable through the VPN Broker member. Type part of the name of an element or browse through the drop-down list to select an element.
Mode

Select from the following options.

  • Reserved — Network addresses are dedicated to the gateway and these addresses or a subnet of these addresses cannot be given to any other member of the VPN Broker domain. This is the recommended option.
  • Allowed — Network addresses are allowed for the VPN gateway. However, the VPN Broker does not announce these as routes to other VPN gateways. Used for dynamic routing or the default VPN gateway.
  • Routed — When selected, enter a value in the Metric field. The same network address that has a different route metric value can be given to another VPN gateway. The subnet of a specified network can be given to a specified VPN gateway.

Next steps

In the primary NGFW Manager, export the VPN Broker Domain element to a file.