>
    Configure the Portal to Authenticate Satellites
    Focus
    Download PDF
    Focus
    1. Home
    2. PAN-OS
    3. Large Scale VPN (LSVPN)
    4. Configure the Portal to Authenticate Satellites
    Download PDF

    Configure the Portal to Authenticate Satellites

    Table of Contents

    Configure the Portal to Authenticate Satellites

    To register with the LSVPN, each satellite must establish an SSL/TLS connection with the portal. After establishing the connection, the portal authenticates the satellite to ensure that it is authorized to join the LSVPN. After successfully authenticating the satellite, the portal will issue a server certificate for the satellite and push the LSVPN configuration specifying the gateways to which the satellite can connect and the root CA certificate required to establish an SSL connection with the gateways.
    • For the satellite to authenticate to the portal during its initial connection, you must create an authentication profile for the portal LSVPN configuration. The satellite administrator must manually authenticate the satellite to the portal to establish the first connection. Upon successful authentication, the portal returns a satellite cookie to authenticate the satellite on subsequent connections. The satellite cookie that the portal issues has a lifetime of 6 months, by default. When the cookie expires, the satellite administrator must manually authenticate again, at which time the portal will issue a new cookie.
    (PAN-OS 10.2.4 and later 10.2 releases)
     You can configure the cookie expiry period from 1 to 5 years, while the default remains as 6 months.
    On the portal:
    • Use the
      request global-protect-portal set-satellite-cookie-expiration value
      <1-5>
       CLI command to change the current satellite cookie expiration time.
    • Use the
      show global-protect-portal satellite-cookie-expiration
       CLI command to view the current satellite cookie expiration time.
    On the satellite:
    • Use the
      show global-protect-satellite satellite
       CLI command to view (in
      “Satellite Cookie Generation Time”
       field) the current satellite authentication cookie's generation time.

    Username/Password and Satellite Cookie Authentication

    For authenticating the satellite to the portal, GlobalProtect LSVPN supports only local database authentication.
    The following workflow describes how to set up the portal to authenticate satellites against an existing authentication service.
    1. Set up local database authentication so that the satellite administrator can authenticate the satellite to the portal.
      1. Select
        Device
        Local User Database
        Users
         and
        Add
         the user account to the local database.
      2. Add
         the user account to the local database.
      1. Select
        Device
        Authentication Profile
        Add
        .
      2. Enter a
        Name
         for the profile and then set the
        Type
         to
        Local Database
        .
      3. Click
        OK
         and
        Commit
         your changes.
    3. Authenticate the satellite.
      To authenticate the satellite to the portal, the satellite administrator must provide the username and password configured in the local database.
      1. Select
        Network
        IPSec Tunnels
         and click the
        Gateway Info
         link in the Status column of the tunnel configuration you created for the LSVPN.
      2. Click the
        enter credentials
         link in the
        Portal Status
         field and enter the username and password required to authenticate the satellite to the portal.
        After the portal successfully authenticates to the portal for the first time, the portal generates a satellite cookie, which it uses to authenticate the satellite on subsequent sessions.

    Recommended For You

    © 2023 Palo Alto Networks, Inc. All rights reserved.