>
    Strata Copilot
    Use Case: Advanced LSVPN Configuration with Dynamic Routing
    Focus
    Download PDF
    Focus
    1. Home
    2. Next-Generation Firewall
    3. Large Scale VPN (LSVPN)
    4. Configure the GlobalProtect Portal for LSVPN
    5. Use Case: Advanced LSVPN Configuration with Dynamic Routing
    Download PDF
    Next-Generation Firewall

    Use Case: Advanced LSVPN Configuration with Dynamic Routing

    Table of Contents

    Use Case: Advanced LSVPN Configuration with Dynamic Routing

    Configuration workflow for implementing dynamic routing using OSPF across gateways and satellites to simplify route maintenance and network topology updates.
    Where Can I Use This?What Do I Need?
    • NGFW
    • No separate license required for LSVPN when using NGFWs
    In larger LSVPN deployments with multiple gateways and many satellites, investing a little more time in the initial configuration to set up dynamic routing will simplify the maintenance of gateway configurations because access routes will update dynamically. The following example configuration shows how to extend the basic LSVPN configuration to configure OSPF as the dynamic routing protocol.
    Setting up an LSVPN to use OSPF for dynamic routing requires the following additional steps on the gateways and the satellites:
    • Manual assignment of IP addresses to tunnel interfaces on all gateways and satellites.
    • Configuration of OSPF point-to-multipoint (P2MP) on the virtual router on all gateways and satellites. In addition, as part of the OSPF configuration on each gateway, you must manually define the tunnel IP address of each satellite as an OSPF neighbor. Similarly, on each satellite, you must manually define the tunnel IP address of each gateway as an OSPF neighbor.
    Although dynamic routing requires additional setup during the initial configuration of the LSVPN, it reduces the maintenance tasks associated with keeping routes up to date as topology changes occur on your network.
    The following figure shows an LSVPN dynamic routing configuration. This example shows how to configure OSPF as the dynamic routing protocol for the VPN.
    For a basic setup of a LSVPN, follow the steps in Basic LSVPN Configuration with Static Routing. You can then complete the steps in the following workflow to extend the configuration to use dynamic routing rather than static routing.
    1. Add an IP address to the tunnel interface configuration on each gateway and each satellite.
      Complete the following steps on each gateway and each satellite:
      1. Select NetworkInterfacesTunnel and select the tunnel configuration you created for the LSVPN to open the Tunnel Interface dialog.
        If you haven’t yet created the tunnel interface, see step 2 in Create Interfaces and Zones for the LSVPN.
      2. On the IPv4 tab, click Add and then enter an IP address and subnet mask. For example, to add an IP address for the gateway tunnel interface you would enter 2.2.2.100/24.
      3. Click OK to save the configuration.
    2. Configure the dynamic routing protocol on the gateway.
      To configure OSPF on the gateway:
      1. Select NetworkVirtual Routers and select the virtual router associated with your VPN interfaces.
      2. On the Areas tab, click Add to create the backbone area, or, if it’s already configured, click on the area ID to edit it.
      3. If you’re creating a new area, enter an Area ID on the Type tab.
      4. On the Interface tab, click Add and select the tunnel Interface you created for the LSVPN.
      5. Select p2mp as the Link Type.
      6. Click Add in the Neighbors section and enter the IP address of the tunnel interface of each satellite, for example 2.2.2.111.
      7. Click OK twice to save the virtual router configuration and then Commit the changes on the gateway.
      8. Repeat this step each time you add a new satellite to the LSVPN.
    3. Configure the dynamic routing protocol on the satellite.
      To configure OSPF on the satellite:
      1. Select NetworkVirtual Routers and select the virtual router associated with your VPN interfaces.
      2. On the Areas tab, click Add to create the backbone area, or, if it’s already configured, click on the area ID to edit it.
      3. If you’re creating a new area, enter an Area ID on the Type tab.
      4. On the Interface tab, click Add and select the tunnel Interface you created for the LSVPN.
      5. Select p2mp as the Link Type.
      6. Click Add in the Neighbors section and enter the IP address of the tunnel interface of each GlobalProtect gateway, for example 2.2.2.100.
      7. Click OK twice to save the virtual router configuration and then Commit the changes on the gateway.
      8. Repeat this step each time you add a new gateway.
    4. Verify that the gateways and satellites are able to form router adjacencies.
      • On each satellite and each gateway, confirm that peer adjacencies have formed and that routing table entries have been created for the peers (that is, the satellites have routes to the gateways and the gateways have routes to the satellites). Select NetworkVirtual Router and click the More Runtime Stats link for the virtual router you’re using for the LSVPN. On the Routing tab, verify that the LSVPN peer has a route.
      • On the OSPFInterface tab, verify that the Type is p2mp.
      • On the OSPFNeighbor tab, verify that the firewalls hosting your gateways have established router adjacencies with the firewalls hosting your satellites and vice versa. Also verify that the Status is Full, indicating that full adjacencies have been established.

    © 2026 Palo Alto Networks, Inc. All rights reserved.