GlobalProtect Portal Satellite Tab
- NetworkGlobalProtectPortals<portal-config>Satellite
A satellite is a Palo Alto Networks® firewall—typically at a
branch office—that acts as a GlobalProtect app to enable the satellite
to establish VPN connectivity to a GlobalProtect gateway. Like a
GlobalProtect app, a satellite receives its initial configuration
from the portal, which includes the certificates and VPN configuration
routing information and enable the satellite to connect to all configured
gateways to establish VPN connectivity.
Before configuring the GlobalProtect satellite settings on the
branch office firewall, you must configure an interface with WAN
connectivity and set up a security zone and policy to allow the
branch office LAN to communicate with the Internet. You can then
select the
Satellite
tab to configure the
GlobalProtect satellite settings on the portal as described in the
following table.GlobalProtect Portal
Satellite Configuration Settings | Description |
|---|---|
General |
|
Devices | Add a satellite using
the firewall Serial Number . The portal can
accept a serial number or login credentials to identify who is requesting
a connection; if the portal does not receive a serial number, it
requests login credentials. If you identify the satellite by its
firewall serial number, you do not need to provide user login credentials
when the satellite first connects to acquire the authentication
certificate and its initial configuration.After the satellite
authenticates by either a serial number or login credentials, the Satellite
Hostname is automatically added to the portal. |
Enrollment User/User Group | The portal can use Enrollment
User/User Group settings with or without serial numbers
to match a satellite to this configuration. Satellites that do not
match on a serial number are required to authenticate either as
an individual user or group member.Add the
user or group you want to control with this configuration.Before
you can restrict the configuration to specific groups, you must
enable Group Mapping in the firewall ( Device User Identification Group Mapping Settings |
Gateways | Click Add to enter
the IP address or hostname of the gateway(s) satellites by which
this configuration can establish IPSec tunnels. Enter the FQDN or
IP address of the interface where the gateway is configured in the Gateways field.
IP addresses can be specified as IPv6 , IPv4 ,
or both. Select IPv6 Preferred to specify
preference of IPv6 connections in a dual stack environment.( Optional )
If you are adding two or more gateways to the configuration, the Routing
Priority helps the satellite pick the preferred gateway
(range is 1 to 25). Lower numbers have higher priority (for gateways
that are available). The satellite multiplies the routing priority
by 10 to determine the routing metric.Routes published
by the gateway are installed on the satellite as static routes.
The metric for the static route is 10 times the routing priority.
If you have more than one gateway, be sure to set the routing priority
so that routes advertised by backup gateways have higher metrics
than the same routes advertised by primary gateways. For example,
if you set the routing priority for the primary gateway and backup
gateway to 1 and 10 respectively, the satellite will use 10 as the metric
for the primary gateway and 100 as the metric for the backup gateway. The
satellite also shares its network and routing information with the
gateways if you Publish all static and connected routes
to Gateway (Network IPSec tunnels <tunnel Advanced GlobalProtect Satellite on the <tunnel General |
Trusted Root CA | Click Add and then
select the CA certificate for issuing gateway server certificates.
Satellite Trusted Root CA certificates are pushed to endpoints at
the same time as the portal agent configuration.Specify a Trusted Root CA to verify gateway
server certificates and establish secure VPN tunnel connections
to GlobalProtect gateways. All your gateways should use the same issuer. You
can Import or Generate a
root CA certificate for issuing your gateway server certificates
if one does not already exist on the portal. |
Client Certificate | |
Local |
If
a certificate does not already reside on the firewall, you can Import or Generate an
issuing certificate.
|
SCEP |
|
Recommended For You
Recommended Videos
Recommended videos not found.
