You must configure the following interfaces
and zones for your LSVPN infrastructure:
GlobalProtect
portal—Requires a Layer 3 interface for GlobalProtect satellites
to connect to. If the portal and gateway are on the same firewall,
they can use the same interface. The portal must be in a zone that
is accessible from your branch offices.
GlobalProtect gateways—Requires three interfaces:
a Layer 3 interface in the zone that is reachable by the remote
satellites, an internal interface in the trust zone that connects
to the protected resources, and a logical tunnel interface for terminating
the VPN tunnels from the satellites. Unlike other site-to-site VPN
solutions, the GlobalProtect gateway only requires a single tunnel
interface, which it will use for tunnel connections with all of
your remote satellites (point-to-multi-point). If you plan to use
dynamic routing, you must assign an IP address to the tunnel interface.
GlobalProtect supports both IPv6 and IPv4 addressing for the tunnel
interface.
GlobalProtect satellites—Requires a single tunnel
interface for establishing a VPN with the remote gateways (up to
a maximum of 25 gateways). If you plan to use dynamic routing, you
must assign an IP address to the tunnel interface. GlobalProtect
supports both IPv6 and IPv4 addressing for the tunnel interface.
For
more information about portals, gateways, and satellites see
LSVPN
Overview.