GlobalProtect Gateway Satellite Configuration Tab
A satellite is a Palo Alto Networks firewall—typically at a branch office—that acts as a GlobalProtect app to enable it to establish VPN connectivity to a GlobalProtect gateway. Select
to define the gateway tunnel and network settings to enable the satellites to establish VPN connections with it. You can also configure routes advertised by the satellites.
GlobalProtect Gateway Satellite Configuration Settings
Tunnel Settings tab
Tunnel Configurationand select an existing
Tunnel Interface, or select
New Tunnel Interfacefrom the drop-down. See
Tunnel Monitoringto enable the satellites to monitor gateway tunnel connections, allowing them to failover to a backup gateway if the connection fails.
IPSec Crypto Profileor create a new one. A crypto profile determines the protocols and algorithms for identification, authentication, and encryption for the VPN tunnels. Because both tunnel endpoints in an LSVPN are trusted firewalls within your organization, you typically use the default profile, which uses ESP protocol, DH group2, AES 128 CVC encryption, and SHA-1 authentication. See Network > Network Profiles > GlobalProtect IPSec Crypto for more details.
Network Settings tab
Select a source to propagate DNS server and other settings from the selected DHCP client or PPPoE client interface into the GlobalProtect satellite configuration. With this setting, all network configuration, such as DNS servers, are inherited from the configuration of the interface selected in the Inheritance Source.
Enter the IP addresses of the primary and secondary servers that provide DNS to the satellites.
Addto enter a suffix that the satellite should use locally when an unqualified hostname is entered that it cannot resolve. You can enter multiple suffixes by separating them with commas.
Inherit DNS Suffix
Select this option to send the DNS suffix to the satellites to use locally when an unqualified hostname is entered that it cannot resolve.
Adda range of IP addresses to assign to the tunnel interface on satellites upon establishment of the VPN tunnel. You can specify IPv6 or IPv4 addresses.
The IP pool must be large enough to support all concurrent connections. IP address assignment is dynamic and not retained after the satellite disconnects. Configuring multiple ranges from different subnets will allow the system to offer satellites an IP address that does not conflict with other interfaces on the satellites.
The servers and routers in the networks must route the traffic for this IP pool to the firewall. For example, for the 192.168.0.0/16 network, a satellite can be assigned the address 192.168.0.10.
If you are using dynamic routing, make sure that the IP address pool you designate for satellites does not overlap with the IP addresses you manually assigned to the tunnel interfaces on your gateways and satellites.
Addand then enter routes as follows:
Route Filter tab
Accept published routesto accept routes advertised by the satellite into the gateway’s routing table. If you do not select this option, the gateway does not accept any routes advertised by the satellites.
If you want to be more restrictive about accepting the routes advertised by the satellites,
AddPermitted subnets and define the subnets from which the gateway may accept routes; subnets advertised by the satellites that are not part of the list are filtered out. For example, if all the satellites are configured with 192.168.x.0/24 subnet on the LAN side, you can configure a permitted route of 192.168.0.0/16 on the gateway. This configuration causes the gateway to accept the routes from the satellite only if it is in the 192.168.0.0/16 subnet.