Configure the Portal to Authenticate Satellites
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
-
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
- PAN-OS 9.1 (EoL)
-
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
-
-
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1 (EoL)
Configure the Portal to Authenticate Satellites
In order to register with the LSVPN, each
satellite must establish an SSL/TLS connection with the portal.
After establishing the connection, the portal authenticates the
satellite to ensure that is authorized to join the LSVPN. After successfully
authenticating the satellite, the portal will issue a server certificate
for the satellite and push the LSVPN configuration specifying the
gateways to which the satellite can connect and the root CA certificate
required to establish an SSL connection with the gateways.
For the satellite to authenticate to the portal during its initial connection, you must create
authentication profile for the portal LSVPN configuration. The satellite
administrator must manually authenticate the satellite to the portal to establish
the first connection. Upon successful authentication, the portal returns a satellite
cookie to authenticate the satellite on subsequent connections. The satellite cookie
that the portal issues has a lifetime of 6 months, by default. When the cookie
expires, the satellite administrator must manually authenticate again, at which time
the portal will issue a new cookie.
(PAN-OS 10.1.7 and later 10.1 Releases) You
can configure the cookie expiry period from 1 to 5 years, while
the default remains as 6 months.
On the portal:
- Use the request global-protect-portal set-satellite-cookie-expiration value <1-5> CLI command to change the current satellite cookie expiration time.
- Use the show global-protect-portal satellite-cookie-expiration CLI command to view the current satellite cookie expiration time.
On
the satellite:
- Use the show global-protect-satellite satellite CLI command to view (in “Satellite Cookie Generation Time” field) the current satellite authentication cookie's generation time.
The following workflow
describes how to set up the portal to authenticate satellites against
an existing authentication service. For authenticating the satellite
to the portal, GlobalProtect LSVPN supports only local database
authentication.
- Set up local database authentication so that the satellite administrator can authenticate the satellite to the portal.
- Select DeviceLocal User DatabaseUsers and Add the user account to the local database.Add the user account to the local database.Configure an authentication profile.
- Select DeviceAuthentication ProfileAdd.Enter a Name for the profile and then set the Type to Local Database.Click OK and Commit your changes.Authenticate the satellite.To authenticate the satellite to the portal, the satellite administrator must provide the username and password configured in the local database.
- Select NetworkIPSec Tunnels and click the Gateway Info link in the Status column of the tunnel configuration you created for the LSVPN.Click the enter credentials link in the Portal Status field and username and password required to authenticate the satellite to the portal.After the portal successfully authenticates to the portal for the first time, the portal generates a satellite cookie, which it uses to authenticate the satellite on subsequent sessions.