Configure the Portal to Authenticate Satellites
Focus
Focus

Configure the Portal to Authenticate Satellites

Table of Contents
End-of-Life (EoL)

Configure the Portal to Authenticate Satellites

In order to register with the LSVPN, each satellite must establish an SSL/TLS connection with the portal. After establishing the connection, the portal authenticates the satellite to ensure that is authorized to join the LSVPN. After successfully authenticating the satellite, the portal will issue a server certificate for the satellite and push the LSVPN configuration specifying the gateways to which the satellite can connect and the root CA certificate required to establish an SSL connection with the gateways.
There are two ways that the satellite can authenticate to the portal during its initial connection:
  • (
    Best Practice
    )
    Username and password
    —If you would rather provision your satellites without manually entering the serial numbers of the satellites into the portal configuration, you can instead require the satellite administrator to authenticate when establishing the initial connection to the portal. Although the portal will always look for the serial number in the initial request from the satellite, if it cannot identify the serial number, the satellite administrator must provide a username and password to authenticate to the portal. Because the portal will always fall back to this form of authentication, you must create an authentication profile in order to commit the portal configuration. This requires that you set up an authentication profile for the portal LSVPN configuration even if you plan to authenticate satellites using the serial number.
  • Serial number
    —You can configure the portal with the serial number of the satellite firewalls that are authorized to join the LSVPN for deployments where the firewall hosting the portal is running PAN-OS 10.0 or lower; serial number authentication is not supported on firewalls running PAN-OS 10.1 or later. During the initial satellite connection to the portal, the satellite presents its serial number to the portal and if the portal has the serial number in its configuration, the satellite will be successfully authenticated. You add the serial numbers of authorized satellites when you configure the portal. See Configure the Portal.
The following workflow describes how to set up the portal to authenticate satellites using local database authentication. External authentication methods are not supported for satellite authentication.
  1. Set up local database authentication so that the satellite administrator can authenticate the satellite to the portal.
    1. Select
      Device
      Local User Database
      Users
      and
      Add
      the user account to the local database.
    2. Add
      the user account to the local database.
    1. Select
      Device
      Authentication Profile
      Add
      .
    2. Enter a
      Name
      for the profile and then set the
      Type
      to
      Local Database
      .
    3. Click
      OK
      and
      Commit
      your changes.
  2. Authenticate the satellite.
    To authenticate the satellite to the portal, the satellite administrator must provide the username and password configured in the local database.
    1. Select
      Network
      IPSec Tunnels
      and click the
      Gateway Info
      link in the Status column of the tunnel configuration you created for the LSVPN.
    2. Click the
      enter credentials
      link in the
      Portal Status
      field and username and password required to authenticate the satellite to the portal.
      After the portal successfully authenticates to the portal for the first time, the portal generates a satellite cookie, which it uses to authenticate the satellite on subsequent sessions.

Recommended For You