https://live.paloaltonetworks.com/t5/next-generation-firewall/dynamic-ip-at-spoke-site-in-pan-os-sd-wan-hub-spoke-topology/m-p/1237321#M6262 <P>Hi</P><P>I am new to PAN-OS SD-WAN and need to clarify Internet service requirement at new spoke site.</P><P>&nbsp;</P><P>My client has PAN-OS SD-WAN hub-and-spoke topology, the hub PA firewall has a static public IP for its internet service.</P><P>All spoke PA firewalls also use static public IPs, but we now will have a new spoke with a dynamic public IP.</P><P>&nbsp;</P><P>I am hoping to confirm my understanding is correct -&nbsp;</P><OL><LI>In a hub/spoke topology, spoke firewalls always initiate the IPsec tunnel to the hub. (Hub never initiate tunnels to spoke)</LI><LI>Therefore, new spoke with a dynamic IP should be able to connect to the hub and join the SD-WAN cluster without requiring DDNS on its interface.</LI><LI>Based on the admin guide below, it states "Using <STRONG>DHCP on a hub</STRONG> requires the Palo Alto Networks DDNS service". so I assume <STRONG>DHCP on a branch</STRONG> doesn't require DDNS service.</LI></OL><P>&nbsp;</P><P>From Admin guide -&nbsp;</P><P>Although DHCP Client is supported for a hub or branch interface, on a hub interface it’s preferable for you to assign a <SPAN class="">Static</SPAN> address instead of DHCP Client. <STRONG>Using DHCP on a hub requires the Palo Alto Networks DDNS service.</STRONG> Using a Static address at the hub site creates a more stable environment because DDNS isn’t involved when resolving the DHCP IP address changes, and because the DDNS service can take a few minutes to register the new IP address when it changes. If you have multiple branch sites connecting to a hub site, having stability is critical to keeping the network up and running.</P><P>&nbsp;</P> Fri, 05 Sep 2025 07:36:32 GMT ahwang2929 2025-09-05T07:36:32Z https://live.paloaltonetworks.com/t5/next-generation-firewall/dynamic-ip-at-spoke-site-in-pan-os-sd-wan-hub-spoke-topology/m-p/1237321#M6262 <P>Hi</P><P>I am new to PAN-OS SD-WAN and need to clarify Internet service requirement at new spoke site.</P><P>&nbsp;</P><P>My client has PAN-OS SD-WAN hub-and-spoke topology, the hub PA firewall has a static public IP for its internet service.</P><P>All spoke PA firewalls also use static public IPs, but we now will have a new spoke with a dynamic public IP.</P><P>&nbsp;</P><P>I am hoping to confirm my understanding is correct -&nbsp;</P><OL><LI>In a hub/spoke topology, spoke firewalls always initiate the IPsec tunnel to the hub. (Hub never initiate tunnels to spoke)</LI><LI>Therefore, new spoke with a dynamic IP should be able to connect to the hub and join the SD-WAN cluster without requiring DDNS on its interface.</LI><LI>Based on the admin guide below, it states "Using <STRONG>DHCP on a hub</STRONG> requires the Palo Alto Networks DDNS service". so I assume <STRONG>DHCP on a branch</STRONG> doesn't require DDNS service.</LI></OL><P>&nbsp;</P><P>From Admin guide -&nbsp;</P><P>Although DHCP Client is supported for a hub or branch interface, on a hub interface it’s preferable for you to assign a <SPAN class="">Static</SPAN> address instead of DHCP Client. <STRONG>Using DHCP on a hub requires the Palo Alto Networks DDNS service.</STRONG> Using a Static address at the hub site creates a more stable environment because DDNS isn’t involved when resolving the DHCP IP address changes, and because the DDNS service can take a few minutes to register the new IP address when it changes. If you have multiple branch sites connecting to a hub site, having stability is critical to keeping the network up and running.</P><P>&nbsp;</P> Fri, 05 Sep 2025 07:36:32 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/dynamic-ip-at-spoke-site-in-pan-os-sd-wan-hub-spoke-topology/m-p/1237321#M6262 ahwang2929 2025-09-05T07:36:32Z https://live.paloaltonetworks.com/t5/next-generation-firewall/dynamic-ip-at-spoke-site-in-pan-os-sd-wan-hub-spoke-topology/m-p/1237417#M6267 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/595267999">@ahwang2929</a>,</P> <P>That is correct, using a dynamic IP on a spoke isn't any concern in a hub-spoke topology. It would create an issue if you were using a mesh deployment, but outside of that it won't matter.&nbsp;</P> Fri, 05 Sep 2025 19:54:30 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/dynamic-ip-at-spoke-site-in-pan-os-sd-wan-hub-spoke-topology/m-p/1237417#M6267 BPry 2025-09-05T19:54:30Z https://live.paloaltonetworks.com/t5/next-generation-firewall/dynamic-ip-at-spoke-site-in-pan-os-sd-wan-hub-spoke-topology/m-p/1237427#M6270 <P>Thanks, could you please also confirm if DHCP on a branch doesn't require DDNS service in hub/spoke topology?</P> Fri, 05 Sep 2025 23:42:46 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/dynamic-ip-at-spoke-site-in-pan-os-sd-wan-hub-spoke-topology/m-p/1237427#M6270 ahwang2929 2025-09-05T23:42:46Z