To participate in the LSVPN, the satellites
require a minimal amount of configuration. Because the required
configuration is minimal, you can pre-configure the satellites before
shipping them to your branch offices for installation.
This is the physical interface the satellite will use to
connect to the portal and the gateway. This interface must be in
a zone that allows access outside of the local trust network. As
a best practice, create a dedicated zone for VPN connections for
visibility and control over traffic destined for the corporate gateways.
Configure the logical tunnel interface for the tunnel
to use to establish VPN tunnels with the GlobalProtect gateways.
IP addresses are not required on the
tunnel interface unless you plan to use dynamic routing. However,
assigning an IP address to the tunnel interface can be useful for
troubleshooting connectivity issues.
Select
Network
Interfaces
Tunnel
and
click
Add
.
In the
Interface Name
field,
specify a numeric suffix, such as
.2
.
On the
Config
tab, expand the
Security
Zone
drop-down and select an existing zone or create
a separate zone for VPN tunnel traffic by clicking
) To assign an IP address to the
tunnel interface:
For an IPv4 address, select
IPv4
and
Add
the
IP address and network mask to assign to the interface, for example 203.0.11.100/24.
For an IPv6 address, select
IPv6
,
Enable
IPv6 on the interface
, and
Add
the
IP address and network mask to assign to the interface, for example
2001:1890:12f2:11::10.1.8.160/80.
To save the interface configuration, click
OK
.
If you generated the portal server certificate using
a Root CA that is not trusted by the satellites (for example, if you
used self-signed certificates), import the root CA certificate used
to issue the portal server certificate.
The root CA certificate is required to enable the satellite
to establish the initial connection with the portal to obtain the LSVPN
configuration.
Download the CA certificate that was used
to generate the portal server certificates. If you are using self-signed
certificates, export the root CA certificate from the portal as
follows:
Select
Device
Certificate Management
Certificates
Device Certificates
.
Select the CA certificate, and click
Export
.
Select
Base64 Encoded Certificate (PEM)
from
the
File Format
drop-down and click
OK
to
download the certificate. (You do not need to export the private
key.)
Import the root CA certificate you just exported onto
each satellite as follows.
Select
Device
Certificate Management
Certificates
Device Certificates
and click
Import
.
Enter a
Certificate Name
that identifies
the certificate as your client CA certificate.
Browse
to the
Certificate
File
you downloaded from the CA.
Select
Base64 Encoded Certificate (PEM)
as
the
File Format
and then click
OK
.
Select the certificate you just imported on the
Device
Certificates
tab to open it.
Select
Trusted Root CA
and then click
OK
.
Configure the IPSec tunnel configuration.
Select
Network
IPSec Tunnels
and click
Add
.
On the
General
tab, enter a
descriptive
Name
for the IPSec configuration.
Select the
Tunnel Interface
you
created for the satellite.
Select
GlobalProtect Satellite
as
the
Type
.
Enter the IP address or FQDN of the portal as the
Portal
Address
.
Select the Layer 3
Interface
you
configured for the satellite.
Select the
IP Address
to use
on the selected interface. You can select an
IPv4
address,
an
IPv6
address, or both. Specify if you
want
IPv6 preferred for portal registration
.
(
Optional
) Configure the satellite to publish
local routes to the gateway.
Pushing routes to the gateway enables traffic to the subnets
local to the satellite via the gateway. However, you must also configure
the gateway to accept the routes as detailed in Configure
GlobalProtect Gateways for LSVPN.
To enable the satellite to push routes to
the gateway, on the
Advanced
tab select
Publish
all static and connected routes to Gateway
.
If you select this check box, the firewall will forward
all static and connected routes from the satellite to the gateway.
However, to prevent the creation of routing loops, the firewall
will apply some route filters, such as the following:
Default
routes
Routes within a virtual router other than the virtual router
associated with the tunnel interface
Routes using the tunnel interface
Routes using the physical interface associated with the tunnel
interface
(
Optional
) If you only want to push routes
for specific subnets rather than all routes, click
Add
in
the Subnet section and specify which subnet routes to publish.
Save the satellite configuration.
Click
OK
to save
the IPSec tunnel settings.
Click
Commit
.
If required, provide the credentials to allow the satellite
to authenticate to the portal.
This step is only required if the portal was unable to
find a serial number match in its configuration or if the serial
number didn’t work. In this case, the satellite will not be able
to establish the tunnel with the gateway(s).
Select
Network
IPSec Tunnels
and click the
Gateway
Info
link in the Status column of the tunnel configuration
you created for the LSVPN.
Click the
enter credentials
link
in the
Portal Status
field and username and
password required to authenticate the satellite to the portal.
After the portal successfully authenticates to the portal,
it will receive its signed certificate and configuration, which
it will use to connect to the gateway(s). You should see the tunnel
establish and the