Configure the Portal to Authenticate Satellites
In order to register with the LSVPN, each satellite must establish an SSL/TLS connection with the portal. After establishing the connection, the portal authenticates the satellite to ensure that is authorized to join the LSVPN. After successfully authenticating the satellite, the portal will issue a server certificate for the satellite and push the LSVPN configuration specifying the gateways to which the satellite can connect and the root CA certificate required to establish an SSL connection with the gateways.
There are two ways that the satellite can authenticate to the portal during its initial connection:
- Serial number—You can configure the portal with the serial number of the satellite firewalls that are authorized to join the LSVPN. During the initial satellite connection to the portal, the satellite presents its serial number to the portal and if the portal has the serial number in its configuration, the satellite will be successfully authenticated. You add the serial numbers of authorized satellites when you configure the portal. See Configure the Portal.
- Username and password—If you would rather provision your satellites without manually entering the serial numbers of the satellites into the portal configuration, you can instead require the satellite administrator to authenticate when establishing the initial connection to the portal. Although the portal will always look for the serial number in the initial request from the satellite, if it cannot identify the serial number, the satellite administrator must provide a username and password to authenticate to the portal. Because the portal will always fall back to this form of authentication, you must create an authentication profile in order to commit the portal configuration. This requires that you set up an authentication profile for the portal LSVPN configuration even if you plan to authenticate satellites using the serial number.
The following workflow describes how to set up the portal to authenticate satellites against an existing authentication service. GlobalProtect LSVPN supports external authentication using a local database, LDAP (including Active Directory), Kerberos, TACACS+, or RADIUS.
- (External authentication only) Create
a server profile on the portal.The server profile defines how the firewall connects to an external authentication service to validate the authentication credentials that the satellite administrator enters.If you use local authentication, skip this step and instead add a local user for the satellite administrator: see Add the user account to the local database.Configure a server profile for the authentication service type:
an authentication profile.The authentication profile defines which server profile to use to authenticate satellites.
- Select DeviceAuthentication Profile and click Add.
- Enter a Name for the profile and then select the authentication Type. If the Type is an external service, select the Server Profile you created in the previous step. If you added a local user instead, set the Type to Local Database.
- Click OK and Commit.
GlobalProtect Portal Satellite Configuration Tab
GlobalProtect Portal Satellite Configuration Tab A satellite is a Palo Alto Networks® firewall—typically at a branch office—that acts as a GlobalProtect agent to enable the ...
Configure the Portal
Configure the Portal After you have completed the GlobalProtect Portal for LSVPN Prerequisite Tasks , configure the GlobalProtect portal as follows: Add the portal. Select ...
Basic LSVPN Configuration with Static Routing
Basic LSVPN Configuration with Static Routing This quick config shows the fastest way to get up and running with LSVPN. In this example, a single ...
Advanced LSVPN Configuration with iBGP
Advanced LSVPN Configuration with iBGP This use case illustrates how GlobalProtect LSVPN securely connects distributed office locations with primary and disaster recovery data centers that ...
Define the Satellite Configurations
Define the Satellite Configurations When a GlobalProtect satellite connects and successfully authenticates to the GlobalProtect portal, the portal delivers a satellite configuration, which specifies what ...
GlobalProtect Portal for LSVPN Prerequisite Tasks
GlobalProtect Portal for LSVPN Prerequisite Tasks Before configuring the GlobalProtect portal, you must complete the following tasks: Create Interfaces and Zones for the LSVPN on ...
Configure GlobalProtect Gateways for LSVPN
Configure GlobalProtect Gateways for LSVPN Because the GlobalProtect configuration that the portal delivers to the satellites includes the list of gateways the satellite can connect ...
Prepare the Satellite to Join the LSVPN
Prepare the Satellite to Join the LSVPN To participate in the LSVPN, the satellites require a minimal amount of configuration. Because the required configuration is ...
Verify the LSVPN Configuration
Verify the LSVPN Configuration After configuring the portal, gateways, and satellites, verify that the satellites are able to connect to the portal and gateway and ...