Prepare the Satellite to Join the LSVPN
To participate in the LSVPN, the satellites require a minimal amount of configuration. Because the required configuration is minimal, you can pre-configure the satellites before shipping them to your branch offices for installation.
- Configure a Layer 3 Interface (see Configure
Layer 3 Interfaces).This is the physical interface the satellite will use to connect to the portal and the gateway. This interface must be in a zone that allows access outside of the local trust network. As a best practice, create a dedicated zone for VPN connections for visibility and control over traffic destined for the corporate gateways.
- Configure the logical tunnel interface for the tunnel
to use to establish VPN tunnels with the GlobalProtect gateways.IP addresses are not required on the tunnel interface unless you plan to use dynamic routing. However, assigning an IP address to the tunnel interface can be useful for troubleshooting connectivity issues.
- Select NetworkInterfacesTunnel and click Add.
- In the Interface Name field, specify a numeric suffix, such as .2.
- On the Config tab, expand the Security Zone drop-down and select an existing zone or create a separate zone for VPN tunnel traffic by clicking New Zone and defining a Name for new zone (for example lsvpnsat).
- In the Virtual Router drop-down, select default.
- (Optional) To assign an IP address to the
- For an IPv4 address, select IPv4 and Add the IP address and network mask to assign to the interface, for example 220.127.116.11/24.
- For an IPv6 address, select IPv6, Enable IPv6 on the interface, and Add the IP address and network mask to assign to the interface, for example 2001:1890:12f2:11::10.1.8.160/80.
- To save the interface configuration, click OK.
- If you generated the portal server certificate using
a Root CA that is not trusted by the satellites (for example, if you
used self-signed certificates), import the root CA certificate used
to issue the portal server certificate.The root CA certificate is required to enable the satellite to establish the initial connection with the portal to obtain the LSVPN configuration.
- Download the CA certificate that was used
to generate the portal server certificates. If you are using self-signed
certificates, export the root CA certificate from the portal as
- Select DeviceCertificate ManagementCertificatesDevice Certificates.
- Select the CA certificate, and click Export.
- Select Base64 Encoded Certificate (PEM) from the File Format drop-down and click OK to download the certificate. (You do not need to export the private key.)
- Import the root CA certificate you just exported onto
each satellite as follows.
- Select DeviceCertificate ManagementCertificatesDevice Certificates and click Import.
- Enter a Certificate Name that identifies the certificate as your client CA certificate.
- Browse to the Certificate File you downloaded from the CA.
- Select Base64 Encoded Certificate (PEM) as the File Format and then click OK.
- Select the certificate you just imported on the Device Certificates tab to open it.
- Select Trusted Root CA and then click OK.
- Download the CA certificate that was used to generate the portal server certificates. If you are using self-signed certificates, export the root CA certificate from the portal as follows:
- Configure the IPSec tunnel configuration.
- Select NetworkIPSec Tunnels and click Add.
- On the General tab, enter a descriptive Name for the IPSec configuration.
- Select the Tunnel Interface you created for the satellite.
- Select GlobalProtect Satellite as the Type.
- Enter the IP address or FQDN of the portal as the Portal Address.
- Select the Layer 3 Interface you configured for the satellite.
- Select the IP Address to use on the selected interface. You can select an IPv4 address, an IPv6 address, or both. Specify if you want IPv6 preferred for portal registration.
- (Optional) Configure the satellite to publish
local routes to the gateway.Pushing routes to the gateway enables traffic to the subnets local to the satellite via the gateway. However, you must also configure the gateway to accept the routes as detailed in Configure GlobalProtect Gateways for LSVPN.
- To enable the satellite to push routes to
the gateway, on the Advanced tab select Publish
all static and connected routes to Gateway.If you select this check box, the firewall will forward all static and connected routes from the satellite to the gateway. However, to prevent the creation of routing loops, the firewall will apply some route filters, such as the following:
- Default routes
- Routes within a virtual router other than the virtual router associated with the tunnel interface
- Routes using the tunnel interface
- Routes using the physical interface associated with the tunnel interface
- (Optional) If you only want to push routes for specific subnets rather than all routes, click Add in the Subnet section and specify which subnet routes to publish.
- To enable the satellite to push routes to the gateway, on the Advanced tab select Publish all static and connected routes to Gateway.
- Save the satellite configuration.
- Click OK to save the IPSec tunnel settings.
- Click Commit.
- If required, provide the credentials to allow the satellite
to authenticate to the portal.This step is only required if the portal was unable to find a serial number match in its configuration or if the serial number didn’t work. In this case, the satellite will not be able to establish the tunnel with the gateway(s).
- Select NetworkIPSec Tunnels and click the Gateway Info link in the Status column of the tunnel configuration you created for the LSVPN.
- Click the enter credentials link
in the Portal Status field and username and
password required to authenticate the satellite to the portal.After the portal successfully authenticates to the portal, it will receive its signed certificate and configuration, which it will use to connect to the gateway(s). You should see the tunnel establish and the Status change to Active.
Configure GlobalProtect Gateways for LSVPN
Configure GlobalProtect Gateways for LSVPN Because the GlobalProtect configuration that the portal delivers to the satellites includes the list of gateways the satellite can connect ...
Define the Satellite Configurations
Define the Satellite Configurations When a GlobalProtect satellite connects and successfully authenticates to the GlobalProtect portal, the portal delivers a satellite configuration, which specifies what ...
Basic LSVPN Configuration with Static Routing
Basic LSVPN Configuration with Static Routing This quick config shows the fastest way to get up and running with LSVPN. In this example, a single ...
Advanced LSVPN Configuration with iBGP
Advanced LSVPN Configuration with iBGP This use case illustrates how GlobalProtect LSVPN securely connects distributed office locations with primary and disaster recovery data centers that ...
GlobalProtect Gateway Satellite Configuration Tab
GlobalProtect Gateway Satellite Configuration Tab A satellite is a Palo Alto Networks firewall—typically at a branch office—that acts as a GlobalProtect app to enable it ...
IPSec Tunnel General Tab
IPSec Tunnel General Tab Network > IPSec Tunnels > General Use the following fields to set up an IPSec tunnel. IPSec Tunnel General Settings Description ...
Configure the Portal
Configure the Portal After you have completed the GlobalProtect Portal for LSVPN Prerequisite Tasks , configure the GlobalProtect portal as follows: Add the portal. Select ...
GlobalProtect Portal Satellite Configuration Tab
GlobalProtect Portal Satellite Configuration Tab A satellite is a Palo Alto Networks® firewall—typically at a branch office—that acts as a GlobalProtect app to enable the ...
Verify the LSVPN Configuration
Verify the LSVPN Configuration After configuring the portal, gateways, and satellites, verify that the satellites are able to connect to the portal and gateway and ...