>
    Strata Copilot
    Create Interfaces and Zones for the LSVPN
    Focus
    Download PDF
    Focus
    1. Home
    2. Next-Generation Firewall
    3. Large Scale VPN (LSVPN)
    4. Create Interfaces and Zones for the LSVPN
    Download PDF
    Next-Generation Firewall

    Create Interfaces and Zones for the LSVPN

    Table of Contents

    Create Interfaces and Zones for the LSVPN

    Configure the necessary network interfaces and security zones for GlobalProtect Large Scale VPN (LSVPN) components, including portals, gateways, and satellites.
    Where Can I Use This?What Do I Need?
    • NGFW
    • No separate license required for LSVPN when using NGFWs
    Configure the following interfaces and zones for your LSVPN infrastructure:
    • GlobalProtect portal—Requires a Layer 3 interface for GlobalProtect satellites to connect to. If the portal and gateway are on the same firewall, they can use the same interface. The portal must be in a zone that is accessible from your branch offices.
    • GlobalProtect gateways—Requires three interfaces: a Layer 3 interface in the zone that is reachable by the remote satellites, an internal interface in the trust zone that connects to the protected resources, and a logical tunnel interface for terminating the VPN tunnels from the satellites. Unlike other site-to-site VPN solutions, the GlobalProtect gateway only requires a single tunnel interface, which it will use for tunnel connections with all of your remote satellites (point-to-multipoint). If you plan to use dynamic routing, you must assign an IP address to the tunnel interface. GlobalProtect supports both IPv6 and IPv4 addressing for the tunnel interface.
    • GlobalProtect satellites—Requires a single tunnel interface for establishing a VPN with the remote gateways (up to a maximum of 25 gateways). If you plan to use dynamic routing, you must assign an IP address to the tunnel interface. GlobalProtect supports both IPv6 and IPv4 addressing for the tunnel interface.
    For more information about portals, gateways, and satellites see LSVPN Overview.
    1. Configure a Layer 3 interface.
      The portal and each gateway and satellite all require a Layer 3 interface to enable traffic to be routed between sites.
      If the gateway and portal are on the same firewall, you can use a single interface for both components.
      1. Select NetworkInterfacesEthernet and then select the interface you want to configure for GlobalProtect LSVPN.
      2. Select Layer3 from the Interface Type drop-down.
      3. On the Config tab, select the Security Zone to which the interface belongs:
        • The interface must be accessible from a zone outside of your trust network. Consider creating a dedicated VPN zone for visibility and control over your VPN traffic.
        • If you haven’t yet created the zone, select New Zone from the Security Zone drop-down, define a Name for the new zone, and then click OK.
      4. Select the Virtual Router to use.
      5. Assign an IP address to the interface:
        • For an IPv4 address, select IPv4 and Add the IP address and network mask to assign to the interface, for example 203.0.11.100/24.
        • For an IPv6 address, select IPv6, Enable IPv6 on the interface, and Add the IP address and network mask to assign to the interface, for example 2001:1890:12f2:11::10.1.8.160/80.
      6. To save the interface configuration, click OK.
    2. On the firewall(s) hosting the GlobalProtect gateway(s), configure the logical tunnel interface that will terminate VPN tunnels established by the GlobalProtect satellites.
      IP addresses is only required on the tunnel interface when you plan to use dynamic routing. However, assigning an IP address to the tunnel interface can be useful for troubleshooting connectivity issues.
      Make sure to enable User-ID in the zone where the VPN tunnels terminate.
      1. Select NetworkInterfacesTunnel and click Add.
      2. In the Interface Name field, specify a numeric suffix, such as .2.
      3. On the Config tab, expand the Security Zone drop-down to define the zone as follows:
        • To use your trust zone as the termination point for the tunnel, select the zone from the drop-down.
        • (Recommended) To create a separate zone for VPN tunnel termination, click New Zone. In the Zone dialog, define a Name for the new zone (for example lsvpn-tun), select the Enable User Identification check box, and then click OK.
      4. Select the Virtual Router.
      5. (Optional) To assign an IP address to the tunnel interface:
        • For an IPv4 address, select IPv4 and Add the IP address and network mask to assign to the interface, for example 203.0.11.100/24.
        • For an IPv6 address, select IPv6, Enable IPv6 on the interface, and Add the IP address and network mask to assign to the interface, for example 2001:1890:12f2:11::10.1.8.160/80.
      6. To save the interface configuration, click OK.
    3. If you created a separate zone for tunnel termination of VPN connections, create a security policy to enable traffic flow between the VPN zone and your trust zone.
      For example, a policy rule enables traffic between the lsvpn-tun zone and the L3-Trust zone.
    4. Commit your changes.
      Click Commit.

    © 2026 Palo Alto Networks, Inc. All rights reserved.