The GlobalProtect LSVPN components use SSL/TLS
to mutually authenticate. Before deploying the LSVPN, you must assign
an SSL/TLS service profile to each portal and gateway. The profile
specifies the server certificate and allowed TLS versions for communication
with satellites. You don’t need to create SSL/TLS service profiles
for the satellites because the portal will issue a server certificate
for each satellite during the first connection as part of the satellite
registration process.
In addition, you must import the root
certificate authority (CA) certificate used to issue the server
certificates onto each firewall that you plan to host as a gateway or
satellite. Finally, on each gateway and satellite participating
in the LSVPN, you must configure a certificate profile that will
enable them to establish an SSL/TLS connection using mutual authentication.
The
following workflow shows the best practice steps for deploying SSL
certificates to the GlobalProtect LSVPN components: