Focus

Create Interfaces and Zones for the LSVPN

Table of Contents

Filter

Expand All | Collapse All

Next-Generation Firewall Docs

Getting Started
Administration
Version
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
- PAN-OS 9.1 (EoL)
Networking
Version
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
Incidents & Alerts
Release Notes
Version
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1 (EoL)

LSVPN Overview

Enable SSL Between GlobalProtect LSVPN Components

Create Interfaces and Zones for the LSVPN

You must configure the following interfaces and zones for your LSVPN infrastructure:

GlobalProtect portal—Requires a Layer 3 interface for GlobalProtect satellites to connect to. If the portal and gateway are on the same firewall, they can use the same interface. The portal must be in a zone that is accessible from your branch offices.
GlobalProtect gateways—Requires three interfaces: a Layer 3 interface in the zone that is reachable by the remote satellites, an internal interface in the trust zone that connects to the protected resources, and a logical tunnel interface for terminating the VPN tunnels from the satellites. Unlike other site-to-site VPN solutions, the GlobalProtect gateway only requires a single tunnel interface, which it will use for tunnel connections with all of your remote satellites (point-to-multi-point). If you plan to use dynamic routing, you must assign an IP address to the tunnel interface. GlobalProtect supports both IPv6 and IPv4 addressing for the tunnel interface.
GlobalProtect satellites—Requires a single tunnel interface for establishing a VPN with the remote gateways (up to a maximum of 25 gateways). If you plan to use dynamic routing, you must assign an IP address to the tunnel interface. GlobalProtect supports both IPv6 and IPv4 addressing for the tunnel interface.

For more information about portals, gateways, and satellites see LSVPN Overview.

Configure a Layer 3 interface.
The portal and each gateway and satellite all require a Layer 3 interface to enable traffic to be routed between sites.
If the gateway and portal are on the same firewall, you can use a single interface for both components.
1. Select NetworkInterfacesEthernet and then select the interface you want to configure for GlobalProtect LSVPN.
2. Select Layer3 from the Interface Type drop-down.
3. On the Config tab, select the Security Zone to which the interface belongs:
  - The interface must be accessible from a zone outside of your trust network. Consider creating a dedicated VPN zone for visibility and control over your VPN traffic.
  - If you have not yet created the zone, select New Zone from the Security Zone drop-down, define a Name for the new zone and then click OK.
4. Select the Virtual Router to use.
5. Assign an IP address to the interface:
  - For an IPv4 address, select IPv4 and Add the IP address and network mask to assign to the interface, for example 203.0.11.100/24.
  - For an IPv6 address, select IPv6, Enable IPv6 on the interface, and Add the IP address and network mask to assign to the interface, for example 2001:1890:12f2:11::10.1.8.160/80.
6. To save the interface configuration, click OK.
On the firewall(s) hosting GlobalProtect gateway(s), configure the logical tunnel interface that will terminate VPN tunnels established by the GlobalProtect satellites.

IP addresses are not required on the tunnel interface unless you plan to use dynamic routing. However, assigning an IP address to the tunnel interface can be useful for troubleshooting connectivity issues.

Make sure to enable User-ID in the zone where the VPN tunnels terminate.
1. Select NetworkInterfacesTunnel and click Add.
2. In the Interface Name field, specify a numeric suffix, such as .2.
3. On the Config tab, expand the Security Zone drop-down to define the zone as follows:
  - To use your trust zone as the termination point for the tunnel, select the zone from the drop-down.
  - (Recommended) To create a separate zone for VPN tunnel termination, click New Zone. In the Zone dialog, define a Name for new zone (for example lsvpn-tun), select the Enable User Identification check box, and then click OK.
4. Select the Virtual Router.
5. (Optional) To assign an IP address to the tunnel interface:
  - For an IPv4 address, select IPv4 and Add the IP address and network mask to assign to the interface, for example 203.0.11.100/24.
  - For an IPv6 address, select IPv6, Enable IPv6 on the interface, and Add the IP address and network mask to assign to the interface, for example 2001:1890:12f2:11::10.1.8.160/80.
6. To save the interface configuration, click OK.
If you created a separate zone for tunnel termination of VPN connections, create a security policy to enable traffic flow between the VPN zone and your trust zone.
For example, a policy rule enables traffic between the lsvpn-tun zone and the L3-Trust zone.
Commit your changes.
Click Commit.

LSVPN Overview

Enable SSL Between GlobalProtect LSVPN Components

Next-Generation Firewall Docs

Create Interfaces and Zones for the LSVPN

Next-Generation Firewall Docs

Create Interfaces and Zones for the LSVPN

Activation & Onboarding

Next-Generation Firewalls

Cloud-Delivered Security Services

Network Security

Visibility & Monitoring

Best Practices

Experts Corner