Enable
SSL Between GlobalProtect LSVPN Components
Establish a secure SSL/TLS connections between GlobalProtect portal, gateway(s), and
satellite(s) using an internal CA or a self-signed root CA certificate generated on the
firewall.
| Where Can I Use This? | What Do I Need? |
|---|
|
|
- No separate license required for LSVPN when using NGFWs
|
All interaction between the GlobalProtect components occurs over an SSL/TLS connection.
Therefore, you must generate and/or install the required certificates before configuring
each component so that you can reference the appropriate certificate(s) and/or
certificate profiles in the configurations for each component. This section describes
the supported methods of certificate deployment, descriptions and best practice
guidelines for the various GlobalProtect certificates, and provide instructions for
generating and deploying the required certificates.
About Certificate Deployment
There are two basic approaches to deploying certificates for GlobalProtect LSVPN:
Enterprise Certificate Authority—If you already have your own
enterprise certificate authority, you can use this internal CA to issue an
intermediate CA certificate for the GlobalProtect portal to enable it to
issue certificates to the GlobalProtect gateways and satellites. You can
also configure the GlobalProtect portal to act as a Simple Certificate
Enrollment Protocol (SCEP) client to issue client certificates to
GlobalProtect satellites.
Self-Signed Certificates—You can generate a self-signed root CA
certificate on the firewall and use it to issue server certificates for the
portal, gateway(s), and satellite(s). When using self-signed root CA
certificates, as a best practice, create a self-signed root CA certificate
on the portal and use it to issue server certificates for the gateways and
satellites. This way, the private key used for certificate signing stays on
the portal.
