GlobalProtect Portal Satellite Configuration Tab
A satellite is a Palo Alto Networks® firewall—typically at a branch office—that acts as a GlobalProtect agent to enable the satellite to establish VPN connectivity to a GlobalProtect gateway. Like a GlobalProtect agent, a satellite receives its initial configuration from the portal, which includes the certificates and VPN configuration routing information and enable the satellite to connect to all configured gateways to establish VPN connectivity.
Before configuring the GlobalProtect satellite settings on the branch office firewall, you must configure an interface with WAN connectivity and set up a security zone and policy to allow the branch office LAN to communicate with the Internet. You can then select
to configure the GlobalProtect satellite settings on the portal as described in the following table.
GlobalProtect Portal Satellite Configuration Settings
Adda satellite using the firewall
Serial Number. The portal can accept a serial number or login credentials to identify who is requesting a connection; if the portal does not receive a serial number, it requests login credentials. If you identify the satellite by its firewall serial number, you do not need to provide user login credentials when the satellite first connects to acquire the authentication certificate and its initial configuration.
After the satellite authenticates by either a serial number or login credentials, the
Satellite Hostnameis automatically added to the portal.
Enrollment User/User Group
The portal can use
Enrollment User/User Groupsettings with or without serial numbers to match a satellite to this configuration. Satellites that do not match on a serial number are required to authenticate either as an individual user or group member.
Addthe user or group you want to control with this configuration.
Before you can restrict the configuration to specific groups, you must enable Group Mapping in the firewall (
Group Mapping Settings
Addto enter the IP address or hostname of the gateway(s) satellites by which this configuration can establish IPSec tunnels. Enter the FQDN or IP address of the interface where the gateway is configured in the
Gatewaysfield. IP addresses can be specified as
IPv4, or both. Select
IPv6 Preferredto specify preference of IPv6 connections in a dual stack environment.
Optional) If you are adding two or more gateways to the configuration, the
Routing Priorityhelps the satellite pick the preferred gateway (range is 1 to 25). Lower numbers have higher priority (for gateways that are available). The satellite multiplies the routing priority by 10 to determine the routing metric.
Routes published by the gateway are installed on the satellite as static routes. The metric for the static route is 10 times the routing priority. If you have more than one gateway, be sure to set the routing priority so that routes advertised by backup gateways have higher metrics than the same routes advertised by primary gateways. For example, if you set the routing priority for the primary gateway and backup gateway to 1 and 10 respectively, the satellite will use 10 as the metric for the primary gateway and 100 as the metric for the backup gateway.
The satellite also shares its network and routing information with the gateways if you
Publish all static and connected routes to Gateway(
—available only when you select
GlobalProtect Satellite on the
Trusted Root CA
Addand then select the CA certificate for issuing gateway server certificates.
All your gateways should use the same issuer.
Generatea root CA certificate for issuing your gateway server certificates if one does not already exist on the portal.
If a certificate does not already reside on the firewall, you can
Generatean issuing certificate.
Recommended For You
Recommended videos not found.