GlobalProtect Gateway Satellite Configuration Tab
A satellite is a Palo Alto Networks firewall—typically at a branch office—that acts as a GlobalProtect app to enable it to establish VPN connectivity to a GlobalProtect gateway. Select NetworkGlobalProtectGatewaysSatellite Configuration to define the gateway tunnel and network settings to enable the satellites to establish VPN connections with it. You can also configure routes advertised by the satellites.
GlobalProtect Gateway Satellite Configuration Settings
Tunnel Settings tab
Select Tunnel Configuration and select an existing Tunnel Interface, or select New Tunnel Interface from the drop-down. See Network > Interfaces > Tunnel for more information.
Select Tunnel Monitoring to enable the satellites to monitor gateway tunnel connections, allowing them to failover to a backup gateway if the connection fails.
Select an IPSec Crypto Profile or create a new one. A crypto profile determines the protocols and algorithms for identification, authentication, and encryption for the VPN tunnels. Because both tunnel endpoints in an LSVPN are trusted firewalls within your organization, you typically use the default profile, which uses ESP protocol, DH group2, AES 128 CVC encryption, and SHA-1 authentication. See Network > Network Profiles > GlobalProtect IPSec Crypto for more details.
Network Settings tab
Select a source to propagate DNS server and other settings from the selected DHCP client or PPPoE client interface into the GlobalProtect satellite configuration. With this setting, all network configuration, such as DNS servers, are inherited from the configuration of the interface selected in the Inheritance Source.
Enter the IP addresses of the primary and secondary servers that provide DNS to the satellites.
Click Add to enter a suffix that the satellite should use locally when an unqualified hostname is entered that it cannot resolve. You can enter multiple suffixes by separating them with commas.
Inherit DNS Suffix
Select this option to send the DNS suffix to the satellites to use locally when an unqualified hostname is entered that it cannot resolve.
Add a range of IP addresses to assign to the tunnel interface on satellites upon establishment of the VPN tunnel. You can specify IPv6 or IPv4 addresses.
The IP pool must be large enough to support all concurrent connections. IP address assignment is dynamic and not retained after the satellite disconnects. Configuring multiple ranges from different subnets will allow the system to offer satellites an IP address that does not conflict with other interfaces on the satellites.
The servers and routers in the networks must route the traffic for this IP pool to the firewall. For example, for the 192.168.0.0/16 network, a satellite can be assigned the address 192.168.0.10.
If you are using dynamic routing, make sure that the IP address pool you designate for satellites does not overlap with the IP addresses you manually assigned to the tunnel interfaces on your gateways and satellites.
Click Add and then enter routes as follows:
Route Filter tab
Enable Accept published routes to accept routes advertised by the satellite into the gateway’s routing table. If you do not select this option, the gateway does not accept any routes advertised by the satellites.
If you want to be more restrictive about accepting the routes advertised by the satellites, Add Permitted subnets and define the subnets from which the gateway may accept routes; subnets advertised by the satellites that are not part of the list are filtered out. For example, if all the satellites are configured with 192.168.x.0/24 subnet on the LAN side, you can configure a permitted route of 192.168.0.0/16 on the gateway. This configuration causes the gateway to accept the routes from the satellite only if it is in the 192.168.0.0/16 subnet.
Configure GlobalProtect Gateways for LSVPN
Configure GlobalProtect Gateways for LSVPN Because the GlobalProtect configuration that the portal delivers to the satellites includes the list of gateways the satellite can connect ...
Define the Satellite Configurations
Define the Satellite Configurations When a GlobalProtect satellite connects and successfully authenticates to the GlobalProtect portal, the portal delivers a satellite configuration, which specifies what ...
Prepare the Satellite to Join the LSVPN
Prepare the Satellite to Join the LSVPN To participate in the LSVPN, the satellites require a minimal amount of configuration. Because the required configuration is ...
Advanced LSVPN Configuration with iBGP
Advanced LSVPN Configuration with iBGP This use case illustrates how GlobalProtect LSVPN securely connects distributed office locations with primary and disaster recovery data centers that ...
IPSec Tunnel General Tab
IPSec Tunnel General Tab Network > IPSec Tunnels > General Use the following fields to set up an IPSec tunnel. IPSec Tunnel General Settings Description ...
Verify the LSVPN Configuration
Verify the LSVPN Configuration After configuring the portal, gateways, and satellites, verify that the satellites are able to connect to the portal and gateway and ...
Basic LSVPN Configuration with Static Routing
Basic LSVPN Configuration with Static Routing This quick config shows the fastest way to get up and running with LSVPN. In this example, a single ...
Network > GlobalProtect > Gateways
Network > GlobalProtect > Gateways Select Network GlobalProtect Gateways to configure a GlobalProtect gateway. A gateway can provide VPN connections for GlobalProtect apps or for ...
GlobalProtect Portal Satellite Configuration Tab
GlobalProtect Portal Satellite Configuration Tab A satellite is a Palo Alto Networks® firewall—typically at a branch office—that acts as a GlobalProtect app to enable the ...