Prepare the Satellite to Join the LSVPN

To participate in the LSVPN, the satellites require a minimal amount of configuration. Because the required configuration is minimal, you can pre-configure the satellites before shipping them to your branch offices for installation.
  1. Configure a Layer 3 Interface (see Configure Layer 3 Interfaces).
    This is the physical interface the satellite will use to connect to the portal and the gateway. This interface must be in a zone that allows access outside of the local trust network. As a best practice, create a dedicated zone for VPN connections for visibility and control over traffic destined for the corporate gateways.
  2. Configure the logical tunnel interface for the tunnel to use to establish VPN tunnels with the GlobalProtect gateways.
    IP addresses are not required on the tunnel interface unless you plan to use dynamic routing. However, assigning an IP address to the tunnel interface can be useful for troubleshooting connectivity issues.
    1. Select
      Network
      Interfaces
      Tunnel
      and click
      Add
      .
    2. In the
      Interface Name
      field, specify a numeric suffix, such as
      .2
      .
    3. On the
      Config
      tab, expand the
      Security Zone
      drop-down and select an existing zone or create a separate zone for VPN tunnel traffic by clicking
      New Zone
      and defining a
      Name
      for new zone (for example
      lsvpnsat
      ).
    4. In the
      Virtual Router
      drop-down, select
      default
      .
    5. (
      Optional
      ) To assign an IP address to the tunnel interface:
      • For an IPv4 address, select
        IPv4
        and
        Add
        the IP address and network mask to assign to the interface, for example 203.0.11.100/24.
      • For an IPv6 address, select
        IPv6
        ,
        Enable IPv6 on the interface
        , and
        Add
        the IP address and network mask to assign to the interface, for example 2001:1890:12f2:11::10.1.8.160/80.
    6. To save the interface configuration, click
      OK
      .
  3. If you generated the portal server certificate using a Root CA that is not trusted by the satellites (for example, if you used self-signed certificates), import the root CA certificate used to issue the portal server certificate.
    The root CA certificate is required to enable the satellite to establish the initial connection with the portal to obtain the LSVPN configuration.
    1. Download the CA certificate that was used to generate the portal server certificates. If you are using self-signed certificates, export the root CA certificate from the portal as follows:
      1. Select
        Device
        Certificate Management
        Certificates
        Device Certificates
        .
      2. Select the CA certificate, and click
        Export
        .
      3. Select
        Base64 Encoded Certificate (PEM)
        from the
        File Format
        drop-down and click
        OK
        to download the certificate. (You do not need to export the private key.)
    2. Import the root CA certificate you just exported onto each satellite as follows.
      1. Select
        Device
        Certificate Management
        Certificates
        Device Certificates
        and click
        Import
        .
      2. Enter a
        Certificate Name
        that identifies the certificate as your client CA certificate.
      3. Browse
        to the
        Certificate File
        you downloaded from the CA.
      4. Select
        Base64 Encoded Certificate (PEM)
        as the
        File Format
        and then click
        OK
        .
      5. Select the certificate you just imported on the
        Device Certificates
        tab to open it.
      6. Select
        Trusted Root CA
        and then click
        OK
        .
  4. Configure the IPSec tunnel configuration.
    1. Select
      Network
      IPSec Tunnels
      and click
      Add
      .
    2. On the
      General
      tab, enter a descriptive
      Name
      for the IPSec configuration.
    3. Select the
      Tunnel Interface
      you created for the satellite.
    4. Select
      GlobalProtect Satellite
      as the
      Type
      .
    5. Enter the IP address or FQDN of the portal as the
      Portal Address
      .
    6. Select the Layer 3
      Interface
      you configured for the satellite.
    7. Select the
      IP Address
      to use on the selected interface. You can select an
      IPv4
      address, an
      IPv6
      address, or both. Specify if you want
      IPv6 preferred for portal registration
      .
  5. (
    Optional
    ) Configure the satellite to publish local routes to the gateway.
    Pushing routes to the gateway enables traffic to the subnets local to the satellite via the gateway. However, you must also configure the gateway to accept the routes as detailed in Configure GlobalProtect Gateways for LSVPN.
    1. To enable the satellite to push routes to the gateway, on the
      Advanced
      tab select
      Publish all static and connected routes to Gateway
      .
      If you select this check box, the firewall will forward all static and connected routes from the satellite to the gateway. However, to prevent the creation of routing loops, the firewall will apply some route filters, such as the following:
      • Default routes
      • Routes within a virtual router other than the virtual router associated with the tunnel interface
      • Routes using the tunnel interface
      • Routes using the physical interface associated with the tunnel interface
    2. (
      Optional
      ) If you only want to push routes for specific subnets rather than all routes, click
      Add
      in the Subnet section and specify which subnet routes to publish.
  6. Save the satellite configuration.
    1. Click
      OK
      to save the IPSec tunnel settings.
    2. Click
      Commit
      .
  7. If required, provide the credentials to allow the satellite to authenticate to the portal.
    This step is only required if the portal was unable to find a serial number match in its configuration or if the serial number didn’t work. In this case, the satellite will not be able to establish the tunnel with the gateway(s).
    1. Select
      Network
      IPSec Tunnels
      and click the
      Gateway Info
      link in the Status column of the tunnel configuration you created for the LSVPN.
    2. Click the
      enter credentials
      link in the
      Portal Status
      field and username and password required to authenticate the satellite to the portal.
      After the portal successfully authenticates to the portal, it will receive its signed certificate and configuration, which it will use to connect to the gateway(s). You should see the tunnel establish and the
      Status
      change to
      Active
      .

Related Documentation