GlobalProtect Portal Satellite Tab

  • NetworkGlobalProtectPortals<portal-config>Satellite
A satellite is a Palo Alto Networks® firewall—typically at a branch office—that acts as a GlobalProtect app to enable the satellite to establish VPN connectivity to a GlobalProtect gateway. Like a GlobalProtect app, a satellite receives its initial configuration from the portal, which includes the certificates and VPN configuration routing information and enable the satellite to connect to all configured gateways to establish VPN connectivity.
Before configuring the GlobalProtect satellite settings on the branch office firewall, you must configure an interface with WAN connectivity and set up a security zone and policy to allow the branch office LAN to communicate with the Internet. You can then select the Satellite tab to configure the GlobalProtect satellite settings on the portal as described in the following table.
GlobalProtect Portal Satellite Configuration Settings
Description
General
  • Name—A name for this satellite configuration on the GlobalProtect portal.
  • Configuration Refresh Interval (hours)—How often a satellite should check the portal for configuration updates (range is 1-48; default is 24).
Devices
Add a satellite using the firewall Serial Number. The portal can accept a serial number or login credentials to identify who is requesting a connection; if the portal does not receive a serial number, it requests login credentials. If you identify the satellite by its firewall serial number, you do not need to provide user login credentials when the satellite first connects to acquire the authentication certificate and its initial configuration.
After the satellite authenticates by either a serial number or login credentials, the Satellite Hostname is automatically added to the portal.
Enrollment User/User Group
The portal can use Enrollment User/User Group settings with or without serial numbers to match a satellite to this configuration. Satellites that do not match on a serial number are required to authenticate either as an individual user or group member.
Add the user or group you want to control with this configuration.
Before you can restrict the configuration to specific groups, you must enable Group Mapping in the firewall (DeviceUser IdentificationGroup Mapping Settings).
Gateways
Click Add to enter the IP address or hostname of the gateway(s) satellites by which this configuration can establish IPSec tunnels. Enter the FQDN or IP address of the interface where the gateway is configured in the Gateways field. IP addresses can be specified as IPv6, IPv4, or both. Select IPv6 Preferred to specify preference of IPv6 connections in a dual stack environment.
(Optional) If you are adding two or more gateways to the configuration, the Routing Priority helps the satellite pick the preferred gateway (range is 1 to 25). Lower numbers have higher priority (for gateways that are available). The satellite multiplies the routing priority by 10 to determine the routing metric.
Routes published by the gateway are installed on the satellite as static routes. The metric for the static route is 10 times the routing priority. If you have more than one gateway, be sure to set the routing priority so that routes advertised by backup gateways have higher metrics than the same routes advertised by primary gateways. For example, if you set the routing priority for the primary gateway and backup gateway to 1 and 10 respectively, the satellite will use 10 as the metric for the primary gateway and 100 as the metric for the backup gateway.
The satellite also shares its network and routing information with the gateways if you Publish all static and connected routes to Gateway (NetworkIPSec tunnels<tunnelAdvanced—available only when you select GlobalProtect Satellite on the <tunnelGeneral).
Trusted Root CA
Click Add and then select the CA certificate for issuing gateway server certificates. Satellite Trusted Root CA certificates are pushed to endpoints at the same time as the portal agent configuration.
Specify a Trusted Root CA to verify gateway server certificates and establish secure VPN tunnel connections to GlobalProtect gateways. All your gateways should use the same issuer.
You can Import or Generate a root CA certificate for issuing your gateway server certificates if one does not already exist on the portal.
Client Certificate
Local
  • Issuing Certificate—Select the root CA issuing certificate the portal uses to issue certificates to a satellite after it successfully authenticates. If the needed certificate does not already exist on the firewall, you can Import or Generate it.
If a certificate does not already reside on the firewall, you can Import or Generate an issuing certificate.
  • OCSP Responder—Select the OCSP Responder the satellite uses to verify the revocation status of certificates presented by the portal and gateways. Select None to specify that OCSP is not used for verifying revocation of a certificate.
    Enable a satellite OCSP responder so that if a certificate was revoked, you are notified and can take appropriate action to establish a secure connection to the portal and gateways. To enable a satellite OCSP responder, you must also enable CRL and OCSP in the Certificate Revocation Checking settings (DeviceSetupSessionDecryption Settings).
  • Validity Period (days)—Specify the GlobalProtect satellite certificate lifetime (range is 7 to 365; default is 7).
  • Certificate Renewal Period (days)—Specify the number of days before expiration that certificates can be automatically renewed (range is 3 to 30; default is 3).
SCEP
  • SCEP—Select a SCEP profile for generating client certificates. If the profile is not in the drop-down, you can create a New profile.
  • Certificate Renewal Period (days)—Specify the number of days before expiration that certificates can be automatically renewed (range is 3 to 30; default is 3).

Related Documentation