GlobalProtect Gateway Satellite Tab
Table of Contents
Expand all | Collapse all
-
- Firewall Overview
- Features and Benefits
- Last Login Time and Failed Login Attempts
- Message of the Day
- Task Manager
- Language
- Alarms
- Commit Changes
- Save Candidate Configurations
- Revert Changes
- Lock Configurations
- Global Find
- Threat Details
- AutoFocus Intelligence Summary
- Configuration Table Export
- Change Boot Mode
-
- Objects > Addresses
- Objects > Address Groups
- Objects > Regions
- Objects > Dynamic User Groups
- Objects > Application Groups
- Objects > Application Filters
- Objects > Services
- Objects > Service Groups
- Objects > Devices
- Objects > External Dynamic Lists
- Objects > Custom Objects > Spyware/Vulnerability
- Objects > Custom Objects > URL Category
- Objects > Security Profiles > Antivirus
- Objects > Security Profiles > Anti-Spyware Profile
- Objects > Security Profiles > Vulnerability Protection
- Objects > Security Profiles > File Blocking
- Objects > Security Profiles > WildFire Analysis
- Objects > Security Profiles > Data Filtering
- Objects > Security Profiles > DoS Protection
- Objects > Security Profiles > Mobile Network Protection
- Objects > Security Profiles > SCTP Protection
- Objects > Security Profile Groups
- Objects > Log Forwarding
- Objects > Authentication
- Objects > Packet Broker Profile
- Objects > Schedules
-
-
- Firewall Interfaces Overview
- Common Building Blocks for Firewall Interfaces
- Common Building Blocks for PA-7000 Series Firewall Interfaces
- Tap Interface
- HA Interface
- Virtual Wire Interface
- Virtual Wire Subinterface
- PA-7000 Series Layer 2 Interface
- PA-7000 Series Layer 2 Subinterface
- PA-7000 Series Layer 3 Interface
- Layer 3 Interface
- Layer 3 Subinterface
- Log Card Interface
- Log Card Subinterface
- Decrypt Mirror Interface
- Aggregate Ethernet (AE) Interface Group
- Aggregate Ethernet (AE) Interface
- Network > Interfaces > VLAN
- Network > Interfaces > Loopback
- Network > Interfaces > Tunnel
- Network > Interfaces > SD-WAN
- Network > Interfaces > PoE
- Network > Interfaces > Cellular
- Network > Interfaces > Fail Open
- Network > VLANs
- Network > Virtual Wires
-
- Network > Routing > Logical Routers > General
- Network > Routing > Logical Routers > Static
- Network > Routing > Logical Routers > OSPF
- Network > Routing > Logical Routers > OSPFv3
- Network > Routing > Logical Routers > RIPv2
- Network > Routing > Logical Routers > BGP
- Network > Routing > Logical Routers > Multicast
-
- Network > Routing > Routing Profiles > BGP
- Network > Routing > Routing Profiles > BFD
- Network > Routing > Routing Profiles > OSPF
- Network > Routing > Routing Profiles > OSPFv3
- Network > Routing > Routing Profiles > RIPv2
- Network > Routing > Routing Profiles > Filters
- Network > Routing > Routing Profiles > Multicast
- Network > Proxy
-
- Network > Network Profiles > GlobalProtect IPSec Crypto
- Network > Network Profiles > IPSec Crypto
- Network > Network Profiles > IKE Crypto
- Network > Network Profiles > Monitor
- Network > Network Profiles > Interface Mgmt
- Network > Network Profiles > QoS
- Network > Network Profiles > LLDP Profile
- Network > Network Profiles > SD-WAN Interface Profile
- Network > Network Profiles > MACsec Profile
-
-
- Device > Setup
- Device > Setup > Management
- Device > Setup > Interfaces
- Device > Setup > Telemetry
- Device > Setup > Content-ID
- Device > Setup > WildFire
- Device > Setup > ACE
- Device > Setup > DLP
- Device > Log Forwarding Card
- Device > Config Audit
- Device > Administrators
- Device > Admin Roles
- Device > Access Domain
- Device > Authentication Sequence
- Device > IoT Security > DHCP Server Log Ingestion
- Device > Device Quarantine
-
- Security Policy Match
- QoS Policy Match
- Authentication Policy Match
- Decryption/SSL Policy Match
- NAT Policy Match
- Policy Based Forwarding Policy Match
- DoS Policy Match
- Routing
- Test Wildfire
- Threat Vault
- Ping
- Trace Route
- Log Collector Connectivity
- External Dynamic List
- Update Server
- Test Cloud Logging Service Status
- Test Cloud GP Service Status
- Device > Virtual Systems
- Device > Shared Gateways
- Device > Certificate Management
- Device > Certificate Management > Certificate Profile
- Device > Certificate Management > OCSP Responder
- Device > Certificate Management > SSL/TLS Service Profile
- Device > Certificate Management > SCEP
- Device > Certificate Management > SSL Decryption Exclusion
- Device > Certificate Management > SSH Service Profile
- Device > Response Pages
- Device > Server Profiles
- Device > Server Profiles > SNMP Trap
- Device > Server Profiles > Syslog
- Device > Server Profiles > Email
- Device > Server Profiles > HTTP
- Device > Server Profiles > NetFlow
- Device > Server Profiles > RADIUS
- Device > Server Profiles > SCP
- Device > Server Profiles > TACACS+
- Device > Server Profiles > LDAP
- Device > Server Profiles > Kerberos
- Device > Server Profiles > SAML Identity Provider
- Device > Server Profiles > DNS
- Device > Server Profiles > Multi Factor Authentication
- Device > Local User Database > Users
- Device > Local User Database > User Groups
- Device > Scheduled Log Export
- Device > Software
- Device > Dynamic Updates
- Device > Licenses
- Device > Support
- Device > Policy Recommendation > IoT
- Device > Policy > Recommendation SaaS
- Device > Policy Recommendation > IoT or SaaS > Import Policy Rule
-
- Device > User Identification > Connection Security
- Device > User Identification > Terminal Server Agents
- Device > User Identification > Group Mapping Settings
- Device > User Identification> Trusted Source Address
- Device > User Identification > Authentication Portal Settings
- Device > User Identification > Cloud Identity Engine
-
- Network > GlobalProtect > MDM
- Network > GlobalProtect > Clientless Apps
- Network > GlobalProtect > Clientless App Groups
- Objects > GlobalProtect > HIP Profiles
-
- Use the Panorama Web Interface
- Context Switch
- Panorama Commit Operations
- Defining Policies on Panorama
- Log Storage Partitions for a Panorama Virtual Appliance in Legacy Mode
- Panorama > Setup > Interfaces
- Panorama > High Availability
- Panorama > Firewall Clusters
- Panorama > Administrators
- Panorama > Admin Roles
- Panorama > Access Domains
- Panorama > Device Groups
- Panorama > Plugins
- Panorama > Log Ingestion Profile
- Panorama > Log Settings
- Panorama > Server Profiles > SCP
- Panorama > Scheduled Config Export
- Panorama > Device Registration Auth Key
GlobalProtect Gateway Satellite Tab
- NetworkGlobalProtectGateways<gateway-config>Satellite
A satellite is a Palo Alto Networks firewall—typically at a branch
office—that acts as a GlobalProtect app to enable it to establish
VPN connectivity to a GlobalProtect gateway. Select the Satellite tab
to define the gateway tunnel and network settings to enable the
satellites to establish VPN connections with it. You can also configure
routes advertised by the satellites.
GlobalProtect Gateway
Satellite Configuration Settings | Description |
---|---|
Tunnel Settings tab | |
Tunnel Configuration | Select Tunnel Configuration and select
an existing Tunnel Interface, or select New
Tunnel Interface from the drop-down. See Network
> Interfaces > Tunnel for more information.
|
Tunnel Monitoring | Select Tunnel Monitoring to
enable the satellites to monitor gateway tunnel connections, allowing
them to failover to a backup gateway if the connection fails.
|
Crypto Profiles | Select an IPSec Crypto Profile or create
a new one. A crypto profile determines the protocols and algorithms
for identification, authentication, and encryption for the VPN tunnels.
Because both tunnel endpoints in an LSVPN are trusted firewalls
within your organization, you typically use the default profile, which
uses ESP protocol, DH group2, AES 128 CVC encryption, and SHA-1
authentication. See Network
> Network Profiles > GlobalProtect IPSec Crypto for more
details. |
Network Settings tab | |
Inheritance Source | Select a source to propagate DNS server
and other settings from the selected DHCP client or PPPoE client
interface into the GlobalProtect satellite configuration. With this
setting, all network configuration, such as DNS servers, are inherited
from the configuration of the interface selected in the Inheritance
Source. |
Primary DNS Secondary DNS | Enter the IP addresses of the primary and
secondary servers that provide DNS to the satellites. |
DNS Suffix | Click Add to enter
a suffix that the satellite should use locally when an unqualified
hostname is entered that it cannot resolve. You can enter multiple
suffixes by separating them with commas. |
Inherit DNS Suffix | Select this option to send the DNS suffix
to the satellites to use locally when an unqualified hostname is
entered that it cannot resolve. |
IP Pool | Add a range of IP
addresses to assign to the tunnel interface on satellites upon establishment
of the VPN tunnel. You can specify IPv6 or IPv4 addresses. The
IP pool must be large enough to support all concurrent connections.
IP address assignment is dynamic and not retained after
the satellite disconnects. Configuring multiple ranges from different
subnets will allow the system to offer satellites an IP address
that does not conflict with other interfaces on the satellites. The
servers and routers in the networks must route the traffic for this
IP pool to the firewall. For example, for the 192.168.0.0/16 network,
a satellite can be assigned the address 192.168.0.10. If you
are using dynamic routing, make sure that the IP address pool you
designate for satellites does not overlap with the IP addresses you
manually assigned to the tunnel interfaces on your gateways and satellites. |
Access Route | Click Add and then
enter routes as follows:
|
Route Filter tab | |
Accept
published routes | Enable Accept published routes to accept
routes advertised by the satellite into the gateway’s routing table.
If you do not select this option, the gateway does not accept any routes
advertised by the satellites. |
Permitted Subnets | If you want to be more restrictive about
accepting the routes advertised by the satellites, Add Permitted subnets
and define the subnets from which the gateway may accept routes;
subnets advertised by the satellites that are not part of the list are
filtered out. For example, if all the satellites are configured
with 192.168.x.0/24 subnet on the LAN side, you can configure a
permitted route of 192.168.0.0/16 on the gateway. This configuration
causes the gateway to accept the routes from the satellite only
if it is in the 192.168.0.0/16 subnet. |