GlobalProtect Portal Satellite Tab
A satellite is a Palo Alto Networks® firewall—typically at a branch office—that acts as a GlobalProtect app to enable the satellite to establish VPN connectivity to a GlobalProtect gateway. Like a GlobalProtect app, a satellite receives its initial configuration from the portal, which includes the certificates and VPN configuration routing information and enable the satellite to connect to all configured gateways to establish VPN connectivity.
Before configuring the GlobalProtect satellite settings on the branch office firewall, you must configure an interface with WAN connectivity and set up a security zone and policy to allow the branch office LAN to communicate with the Internet. You can then select the Satellite tab to configure the GlobalProtect satellite settings on the portal as described in the following table.
GlobalProtect Portal Satellite Configuration Settings
Add a satellite using the firewall Serial Number. The portal can accept a serial number or login credentials to identify who is requesting a connection; if the portal does not receive a serial number, it requests login credentials. If you identify the satellite by its firewall serial number, you do not need to provide user login credentials when the satellite first connects to acquire the authentication certificate and its initial configuration.
After the satellite authenticates by either a serial number or login credentials, the Satellite Hostname is automatically added to the portal.
Enrollment User/User Group
The portal can use Enrollment User/User Group settings with or without serial numbers to match a satellite to this configuration. Satellites that do not match on a serial number are required to authenticate either as an individual user or group member.
Add the user or group you want to control with this configuration.
Before you can restrict the configuration to specific groups, you must enable Group Mapping in the firewall (DeviceUser IdentificationGroup Mapping Settings).
Click Add to enter the IP address or hostname of the gateway(s) satellites by which this configuration can establish IPSec tunnels. Enter the FQDN or IP address of the interface where the gateway is configured in the Gateways field. IP addresses can be specified as IPv6, IPv4, or both. Select IPv6 Preferred to specify preference of IPv6 connections in a dual stack environment.
(Optional) If you are adding two or more gateways to the configuration, the Routing Priority helps the satellite pick the preferred gateway (range is 1 to 25). Lower numbers have higher priority (for gateways that are available). The satellite multiplies the routing priority by 10 to determine the routing metric.
Routes published by the gateway are installed on the satellite as static routes. The metric for the static route is 10 times the routing priority. If you have more than one gateway, be sure to set the routing priority so that routes advertised by backup gateways have higher metrics than the same routes advertised by primary gateways. For example, if you set the routing priority for the primary gateway and backup gateway to 1 and 10 respectively, the satellite will use 10 as the metric for the primary gateway and 100 as the metric for the backup gateway.
The satellite also shares its network and routing information with the gateways if you Publish all static and connected routes to Gateway (NetworkIPSec tunnels<tunnelAdvanced—available only when you select GlobalProtect Satellite on the <tunnelGeneral).
Trusted Root CA
Click Add and then select the CA certificate for issuing gateway server certificates. Satellite Trusted Root CA certificates are pushed to endpoints at the same time as the portal agent configuration.
Specify a Trusted Root CA to verify gateway server certificates and establish secure VPN tunnel connections to GlobalProtect gateways. All your gateways should use the same issuer.
You can Import or Generate a root CA certificate for issuing your gateway server certificates if one does not already exist on the portal.
If a certificate does not already reside on the firewall, you can Import or Generate an issuing certificate.
Define the Satellite Configurations
Define the Satellite Configurations When a GlobalProtect satellite connects and successfully authenticates to the GlobalProtect portal, the portal delivers a satellite configuration, which specifies what ...
Advanced LSVPN Configuration with iBGP
Advanced LSVPN Configuration with iBGP This use case illustrates how GlobalProtect LSVPN securely connects distributed office locations with primary and disaster recovery data centers that ...
GlobalProtect Gateway Satellite Configuration Tab
GlobalProtect Gateway Satellite Tab Network GlobalProtect Gateways Satellite A satellite is a Palo Alto Networks firewall—typically at a branch office—that acts as a GlobalProtect app ...
Prepare the Satellite to Join the LSVPN
Prepare the Satellite to Join the LSVPN To participate in the LSVPN, the satellites require a minimal amount of configuration. Because the required configuration is ...
Configure the Portal to Authenticate Satellites
Configure the Portal to Authenticate Satellites In order to register with the LSVPN, each satellite must establish an SSL/TLS connection with the portal. After establishing ...
Basic LSVPN Configuration with Static Routing
Basic LSVPN Configuration with Static Routing This quick config shows the fastest way to get up and running with LSVPN. In this example, a single ...
Configure GlobalProtect Gateways for LSVPN
Configure GlobalProtect Gateways for LSVPN Because the GlobalProtect configuration that the portal delivers to the satellites includes the list of gateways the satellite can connect ...
Verify the LSVPN Configuration
Verify the LSVPN Configuration After configuring the portal, gateways, and satellites, verify that the satellites are able to connect to the portal and gateway and ...
Configure the GlobalProtect Portal for LSVPN
Configure the GlobalProtect Portal for LSVPN The GlobalProtect portal provides the management functions for your GlobalProtect LSVPN. Every satellite system that participates in the LSVPN ...