GlobalProtect Portal Satellite Tab
Table of Contents
Expand all | Collapse all
-
- Objects > Addresses
- Objects > Address Groups
- Objects > Regions
- Objects > Dynamic User Groups
- Objects > Application Groups
- Objects > Application Filters
- Objects > Services
- Objects > Service Groups
- Objects > Devices
- Objects > External Dynamic Lists
- Objects > Custom Objects > Spyware/Vulnerability
- Objects > Custom Objects > URL Category
- Objects > Security Profiles > Antivirus
- Objects > Security Profiles > Anti-Spyware Profile
- Objects > Security Profiles > Vulnerability Protection
- Objects > Security Profiles > File Blocking
- Objects > Security Profiles > WildFire Analysis
- Objects > Security Profiles > Data Filtering
- Objects > Security Profiles > DoS Protection
- Objects > Security Profiles > Mobile Network Protection
- Objects > Security Profiles > SCTP Protection
- Objects > Security Profile Groups
- Objects > Log Forwarding
- Objects > Authentication
- Objects > Decryption > Forwarding Profile
- Objects > Schedules
-
-
- Firewall Interfaces Overview
- Common Building Blocks for Firewall Interfaces
- Common Building Blocks for PA-7000 Series Firewall Interfaces
- Tap Interface
- HA Interface
- Virtual Wire Interface
- Virtual Wire Subinterface
- PA-7000 Series Layer 2 Interface
- PA-7000 Series Layer 2 Subinterface
- PA-7000 Series Layer 3 Interface
- Layer 3 Interface
- Layer 3 Subinterface
- Log Card Interface
- Log Card Subinterface
- Decrypt Mirror Interface
- Aggregate Ethernet (AE) Interface Group
- Aggregate Ethernet (AE) Interface
- Network > Interfaces > VLAN
- Network > Interfaces > Loopback
- Network > Interfaces > Tunnel
- Network > Interfaces > SD-WAN
- Network > VLANs
- Network > Virtual Wires
-
- Network > Network Profiles > GlobalProtect IPSec Crypto
- Network > Network Profiles > IPSec Crypto
- Network > Network Profiles > IKE Crypto
- Network > Network Profiles > Monitor
- Network > Network Profiles > Interface Mgmt
- Network > Network Profiles > QoS
- Network > Network Profiles > LLDP Profile
- Network > Network Profiles > SD-WAN Interface Profile
-
-
- Device > Setup
- Device > Setup > Management
- Device > Setup > Interfaces
- Device > Setup > Telemetry
- Device > Setup > Content-ID
- Device > Setup > WildFire
- Device > Setup > DLP
- Device > Log Forwarding Card
- Device > Config Audit
- Device > Administrators
- Device > Admin Roles
- Device > Access Domain
- Device > Authentication Sequence
- Device > Device Quarantine
-
- Security Policy Match
- QoS Policy Match
- Authentication Policy Match
- Decryption/SSL Policy Match
- NAT Policy Match
- Policy Based Forwarding Policy Match
- DoS Policy Match
- Routing
- Test Wildfire
- Threat Vault
- Ping
- Trace Route
- Log Collector Connectivity
- External Dynamic List
- Update Server
- Test Cloud Logging Service Status
- Test Cloud GP Service Status
- Device > Virtual Systems
- Device > Shared Gateways
- Device > Certificate Management
- Device > Certificate Management > Certificate Profile
- Device > Certificate Management > OCSP Responder
- Device > Certificate Management > SSL/TLS Service Profile
- Device > Certificate Management > SCEP
- Device > Certificate Management > SSL Decryption Exclusion
- Device > Certificate Management > SSH Service Profile
- Device > Response Pages
- Device > Server Profiles
- Device > Server Profiles > SNMP Trap
- Device > Server Profiles > Syslog
- Device > Server Profiles > Email
- Device > Server Profiles > HTTP
- Device > Server Profiles > NetFlow
- Device > Server Profiles > RADIUS
- Device > Server Profiles > TACACS+
- Device > Server Profiles > LDAP
- Device > Server Profiles > Kerberos
- Device > Server Profiles > SAML Identity Provider
- Device > Server Profiles > DNS
- Device > Server Profiles > Multi Factor Authentication
- Device > Local User Database > Users
- Device > Local User Database > User Groups
- Device > Scheduled Log Export
- Device > Software
- Device > Dynamic Updates
- Device > Licenses
- Device > Support
- Device > Policy Recommendation
-
- Network > GlobalProtect > MDM
- Network > GlobalProtect > Clientless Apps
- Network > GlobalProtect > Clientless App Groups
- Objects > GlobalProtect > HIP Profiles
-
- Use the Panorama Web Interface
- Context Switch
- Panorama Commit Operations
- Defining Policies on Panorama
- Log Storage Partitions for a Panorama Virtual Appliance in Legacy Mode
- Panorama > Setup > Interfaces
- Panorama > High Availability
- Panorama > Administrators
- Panorama > Admin Roles
- Panorama > Access Domains
- Panorama > Device Groups
- Panorama > Plugins
- Panorama > Log Ingestion Profile
- Panorama > Log Settings
- Panorama > Server Profiles > SCP
- Panorama > Scheduled Config Export
End-of-Life (EoL)
GlobalProtect Portal Satellite Tab
- NetworkGlobalProtectPortals<portal-config>Satellite
A satellite is a Palo Alto Networks® firewall—typically at a
branch office—that acts as a GlobalProtect app to enable the satellite
to establish VPN connectivity to a GlobalProtect gateway. Like a
GlobalProtect app, a satellite receives its initial configuration
from the portal, which includes the certificates and VPN configuration
routing information and enable the satellite to connect to all configured
gateways to establish VPN connectivity.
Before configuring the GlobalProtect satellite settings on the
branch office firewall, you must configure an interface with WAN
connectivity and set up a security zone and policy to allow the
branch office LAN to communicate with the Internet. You can then
select the Satellite tab to configure the
GlobalProtect satellite settings on the portal as described in the
following table.
GlobalProtect Portal
Satellite Configuration Settings | Description |
---|---|
General |
|
Devices | Add a satellite using
the firewall Serial Number. The portal can
accept a serial number or login credentials to identify who is requesting
a connection; if the portal does not receive a serial number, it
requests login credentials. If you identify the satellite by its
firewall serial number, you do not need to provide user login credentials
when the satellite first connects to acquire the authentication
certificate and its initial configuration. After the satellite
authenticates by either a serial number or login credentials, the Satellite
Hostname is automatically added to the portal. |
Enrollment User/User Group | The portal can use Enrollment
User/User Group settings with or without serial numbers
to match a satellite to this configuration. Satellites that do not
match on a serial number are required to authenticate either as
an individual user or group member. Add the
user or group you want to control with this configuration. Before
you can restrict the configuration to specific groups, you must
enable Group Mapping in the firewall (DeviceUser IdentificationGroup Mapping Settings). |
Gateways | Click Add to enter
the IP address or hostname of the gateway(s) satellites by which
this configuration can establish IPSec tunnels. Enter the FQDN or
IP address of the interface where the gateway is configured in the Gateways field.
IP addresses can be specified as IPv6, IPv4,
or both. Select IPv6 Preferred to specify
preference of IPv6 connections in a dual stack environment. (Optional)
If you are adding two or more gateways to the configuration, the Routing
Priority helps the satellite pick the preferred gateway
(range is 1 to 25). Lower numbers have higher priority (for gateways
that are available). The satellite multiplies the routing priority
by 10 to determine the routing metric. Routes published
by the gateway are installed on the satellite as static routes.
The metric for the static route is 10 times the routing priority.
If you have more than one gateway, be sure to set the routing priority
so that routes advertised by backup gateways have higher metrics
than the same routes advertised by primary gateways. For example,
if you set the routing priority for the primary gateway and backup
gateway to 1 and 10 respectively, the satellite will use 10 as the metric
for the primary gateway and 100 as the metric for the backup gateway. The
satellite also shares its network and routing information with the
gateways if you Publish all static and connected routes
to Gateway (NetworkIPSec tunnels<tunnelAdvanced—available only when
you select GlobalProtect Satellite on the <tunnelGeneral). |
Trusted Root CA | Click Add and then
select the CA certificate for issuing gateway server certificates.
Satellite Trusted Root CA certificates are pushed to endpoints at
the same time as the portal agent configuration. Specify a Trusted Root CA to verify gateway
server certificates and establish secure VPN tunnel connections
to GlobalProtect gateways. All your gateways should use the same issuer. You
can Import or Generate a
root CA certificate for issuing your gateway server certificates
if one does not already exist on the portal. |
Client Certificate | |
Local |
If
a certificate does not already reside on the firewall, you can Import or Generate an
issuing certificate.
|
SCEP |
|