The satellite administrator manually authenticates the satellite to the portal to establish the first connection. Upon successful authentication, the portal returns a satellite cookie to authenticate the satellite on subsequent connections. The satellite cookie that the portal issues has a lifetime of 6 months. The encrypted cookie stored on an LSVPN satellite expires after every 6 months. As soon as the cookie expires, the satellite administrator must re-authenticate by manually entering their credentials, and a new cookie will be issued by the portal.

This causes the VPN tunnels associated with the satellite to go down, causing an outage until the satellite is re-authenticated to the LSVPN portal or gateway and a new cookie is generated. A re-authentication every six months causes administrative overhead, affecting productivity, network stability, and resources of the company.

You can now configure the cookie expiry period from 1 to 5 years, while the default remains as 6 months (when set to 0). In other words, the cookie expiry period is now configurable up to 5 years.

While configuration is only done on the portal, you must upgrade both portal and satellite versions to PAN-OS 10.1.7 or later 10.1 releases to use this feature effectively.

Use the following operational commands to update or view the cookie expiration period:

On the portal, select MonitorSystem to view the system log for the updated satellite cookie expiration time.