In order to register with the LSVPN, each satellite must establish an SSL/TLS
connection with the portal. After establishing the connection, the portal
authenticates the satellite to ensure that is authorized to join the LSVPN. After
successfully authenticating the satellite, the portal will issue a server
certificate for the satellite and push the LSVPN configuration specifying the
gateways to which the satellite can connect and the root CA certificate required to
establish an SSL connection with the gateways.
For the satellite to authenticate to the portal during its initial connection, you
must create an authentication profile for the portal LSVPN configuration. The
satellite administrator must manually authenticate the satellite to the portal to
establish the first connection. Upon successful authentication, the portal returns a
satellite cookie to authenticate the satellite on subsequent connections. The
satellite cookie that the portal issues has a lifetime of 6 months, by default. When
the cookie expires, the satellite administrator must manually authenticate again, at
which time the portal will issue a new cookie.
(PAN-OS 11.0.1
and later releases)
You can configure the cookie expiry period from 1 to 5
years, while the default remains as 6 months.
On the
portal:
Use the
request global-protect-portal set-satellite-cookie-expiration
value
<1-5>
CLI command to change the
current satellite cookie expiration time.
Use the
show global-protect-portal
satellite-cookie-expiration
CLI command to view the current
satellite cookie expiration time.
On the satellite:
Use the
show global-protect-satellite satellite
CLI
command to view (in
“Satellite Cookie Generation
Time”
field) the current satellite authentication cookie's
generation time.
The following workflow describes how to set up the portal to authenticate satellites
against an existing authentication service. For authenticating the satellite to the
portal, GlobalProtect LSVPN supports only local database authentication.
To authenticate the satellite to the portal, the satellite
administrator must provide the username and password configured
in the local database.
Select
Network
IPSec Tunnels
and click the
Gateway
Info
link in the Status column of the tunnel configuration
you created for the LSVPN.
Click the
enter credentials
link in the
Portal Status
field and provide the username
and password to authenticate the satellite to the portal.
After the portal successfully authenticates to the portal for the
first time, the portal generates a satellite cookie, which it uses
to authenticate the satellite on subsequent sessions.