Configure GlobalProtect Gateways for LSVPN
Because the GlobalProtect configuration that the portal delivers to the satellites includes the list of gateways the satellite can connect to, it is a good idea to configure the gateways before configuring the portal.
Before you can configure the GlobalProtect gateway, you must complete the following tasks:
- Create Interfaces and Zones for the LSVPN on the interface where you will configure each gateway. You must configure both the physical interface and the virtual tunnel interface.
- Enable SSL Between GlobalProtect LSVPN Components by configuring the gateway server certificates, SSL/TLS service profiles, and certificate profile required to establish a mutual SSL/TLS connection from the GlobalProtect satellites to the gateway.
Configure each GlobalProtect gateway to participate in the LSVPN as follows:
- Add a gateway.
- Select NetworkGlobalProtectGateways and click Add.
- In the General screen, enter a Name for the gateway. The gateway name should have no spaces and, as a best practice, should include the location or other descriptive information to help users and administrators identify the gateway.
- (Optional) Select the virtual system to which this gateway belongs from the Location field.
- Specify the network information that enables satellite
devices to connect to the gateway.If you haven’t created the network interface for the gateway, see Create Interfaces and Zones for the LSVPN for instructions.
- Select the Interface that satellites will use for ingress access to the gateway.
- Specify the IP Address Type and IP
address for gateway access:
- The IP address type can be IPv4 (only), IPv6 (only), or IPv4 and IPv6. Use IPv4 and IPv6 if your network supports dual stack configurations, where IPv4 and IPv6 run at the same time.
- The IP address must be compatible with the IP address type. For example, 172.16.1/0 for IPv4 addresses or 21DA:D3:0:2F3B for IPv6 addresses. For dual stack configurations, enter both an IPv4 and IPv6 address.
- Click OK to save changes.
- Specify how the gateway authenticates satellites attempting
to establish tunnels. If you haven’t yet created an SSL/TLS Service
profile for the gateway, see Deploy Server Certificates to the GlobalProtect LSVPN Components.If you haven’t set up the authentication profiles or certificate profiles, see Configure the Portal to Authenticate Satellites for instructions.If you have not yet set up the certificate profile, see Enable SSL Between GlobalProtect LSVPN Components for instructions.On the GlobalProtect Gateway Configuration dialog, select Authentication and then configure any of the following:
- To secure communication between the gateway and the satellites, select the SSL/TLS Service Profile for the gateway.
- To specify the authentication profile to use to authenticate satellites, Add a Client Authentication. Then, enter a Name to identify the configuration, select OS: Satellite to apply the configuration to all satellites, and specify the Authentication Profile to use to authenticate the satellite. You can also select a Certificate Profile for the gateway to use to authenticate satellite devices attempting to establish tunnels.
- Configure the tunnel parameters and enable tunneling.
- On the GlobalProtect Gateway Configuration dialog, select SatelliteTunnel Settings.
- Select the Tunnel Configuration check box to enable tunneling.
- Select the Tunnel Interface you defined to terminate VPN tunnels established by the GlobalProtect satellites when you performed the task to Create Interfaces and Zones for the LSVPN.
- (Optional) If you want to preserve the Type
of Service (ToS) information in the encapsulated packets, select Copy
TOS.If there are multiple sessions inside the tunnel (each with a different TOS value), copying the TOS header can cause the IPSec packets to arrive out of order.
- (Optional) Enable tunnel monitoring.Tunnel monitoring enables satellites to monitor its gateway tunnel connection, allowing it to failover to a backup gateway if the connection fails. Failover to another gateway is the only type of tunnel monitoring profile supported with LSVPN.
- Select the Tunnel Monitoring check box.
- Specify the Destination IPAddress the satellites should use to determine if the gateway is active. You can specify an IPv4 address, and IPv6 address, or both. Alternatively, if you configured an IP address for the tunnel interface, you can leave this field blank and the tunnel monitor will instead use the tunnel interface to determine if the connection is active.
- Select Failover from the Tunnel Monitor Profile drop-down (this is the only supported tunnel monitor profile for LSVPN).
- Select the IPSec Crypto profile to use when establishing
tunnel connections. The profile specifies the type of IPSec encryption and the authentication method for securing the data that will traverse the tunnel. Because both tunnel endpoints in an LSVPN are trusted firewalls within your organization, you can typically use the default (predefined) profile, which uses ESP as the IPSec protocol, group2 for the DH group, AES-128-CBC for encryption, and SHA-1 for authentication.In the IPSec Crypto Profile drop-down, select default to use the predefined profile or select New IPSec Crypto Profile to define a new profile. For details on the authentication and encryption options, see Define IPSec Crypto Profiles.
- Configure the network settings to assign the satellites
during establishment of the IPSec tunnel.You can also configure the satellite to push the DNS settings to its local clients by configuring a DHCP server on the firewall hosting the satellite. In this configuration, the satellite will push DNS settings it learns from the gateway to the DHCP clients.
- On the GlobalProtect Gateway Configuration dialog, select SatelliteNetwork Settings.
- (Optional) If clients local to the satellite
need to resolve FQDNs on the corporate network, configure the gateway
to push DNS settings to the satellites in one of the following ways:
- If the gateway has an interface that is configured as a DHCP client, you can set the Inheritance Source to that interface and assign the same settings received by the DHCP client to GlobalProtect satellites. You can also inherit the DNS suffix from the same source.
- Manually define the Primary DNS, Secondary DNS, and DNS Suffix settings to push to the satellites.
- To specify the IP Pool of addresses to assign the tunnel interface on the satellites when the VPN is established, click Add and then specify the IP address range(s) to use.
- To define what destination subnets to route through
the tunnel click Add in the Access
Route area and then enter the routes as follows:
In this case, all traffic except traffic destined for the local subnet will be tunneled to the gateway.
- If you want to route all traffic from the satellites through the tunnel, leave this field blank.
- To route only some traffic through the gateway (called split tunneling), specify the destination subnets that must be tunneled. In this case, the satellite will route traffic that is not destined for a specified access route using its own routing table. For example, you may choose to only tunnel traffic destined for your corporate network, and use the local satellite to safely enable Internet access.
- If you want to enable routing between satellites, enter the summary route for the network protected by each satellite.
- (Optional) Define what routes, if any, the gateway
will accept from satellites.By default, the gateway will not add any routes satellites advertise to its routing table. If you do not want the gateway to accept routes from satellites, you do not need to complete this step.
- To enable the gateway to accept routes advertised by satellites, select SatelliteRoute Filter.
- Select the Accept published routes check box.
- To filter which of the routes advertised by the satellites to add to the gateway routing table, click Add and then define the subnets to include. For example, if all the satellites are configured with subnet 192.168.x.0/24 on the LAN side, configuring a permitted route of 192.168.0.0/16 to enable the gateway to only accept routes from the satellite if it is in the 192.168.0.0/16 subnet.
- Save the gateway configuration.
- Click OK to save the settings and close the GlobalProtect Gateway Configuration dialog.
- Commit the configuration.
GlobalProtect Gateway Satellite Configuration Tab
GlobalProtect Gateway Satellite Configuration Tab A satellite is a Palo Alto Networks firewall—typically at a branch office—that acts as a GlobalProtect app to enable it ...
Prepare the Satellite to Join the LSVPN
Prepare the Satellite to Join the LSVPN To participate in the LSVPN, the satellites require a minimal amount of configuration. Because the required configuration is ...
Advanced LSVPN Configuration with iBGP
Advanced LSVPN Configuration with iBGP This use case illustrates how GlobalProtect LSVPN securely connects distributed office locations with primary and disaster recovery data centers that ...
Basic LSVPN Configuration with Static Routing
Basic LSVPN Configuration with Static Routing This quick config shows the fastest way to get up and running with LSVPN. In this example, a single ...
Define the Satellite Configurations
Define the Satellite Configurations When a GlobalProtect satellite connects and successfully authenticates to the GlobalProtect portal, the portal delivers a satellite configuration, which specifies what ...
Verify the LSVPN Configuration
Verify the LSVPN Configuration After configuring the portal, gateways, and satellites, verify that the satellites are able to connect to the portal and gateway and ...
Configure the Portal
Configure the Portal After you have completed the GlobalProtect Portal for LSVPN Prerequisite Tasks , configure the GlobalProtect portal as follows: Add the portal. Select ...
IPSec Tunnel General Tab
IPSec Tunnel General Tab Network > IPSec Tunnels > General Use the following fields to set up an IPSec tunnel. IPSec Tunnel General Settings Description ...
Create Interfaces and Zones for the LSVPN
Create Interfaces and Zones for the LSVPN You must configure the following interfaces and zones for your LSVPN infrastructure: GlobalProtect portal —Requires a Layer 3 ...