Configure the following interfaces and zones for your LSVPN infrastructure:
GlobalProtect
portal
—Requires a Layer 3 interface for GlobalProtect satellites
to connect to. If the portal and gateway are on the same firewall,
they can use the same interface. The portal must be in a zone that
is accessible from your branch offices.
GlobalProtect gateways
—Requires three interfaces: a Layer 3 interface in the zone that is
reachable by the remote satellites, an internal interface in the trust zone
that connects to the protected resources, and a logical tunnel interface for
terminating the VPN tunnels from the satellites. Unlike other site-to-site
VPN solutions, the GlobalProtect gateway only requires a single tunnel
interface, which it will use for tunnel connections with all of your remote
satellites (point-to-multipoint). If you plan to use dynamic routing, you
must assign an IP address to the tunnel interface. GlobalProtect supports
both IPv6 and IPv4 addressing for the tunnel interface.
GlobalProtect satellites
—Requires a single tunnel
interface for establishing a VPN with the remote gateways (up to
a maximum of 25 gateways). If you plan to use dynamic routing, you
must assign an IP address to the tunnel interface. GlobalProtect
supports both IPv6 and IPv4 addressing for the tunnel interface.
For
more information about portals, gateways, and satellites see LSVPN
Overview.
Configure
a Layer 3 interface.
The portal and each gateway and satellite all require a
Layer 3 interface to enable traffic to be routed between sites.
If
the gateway and portal are on the same firewall, you can use a single
interface for both components.
Select
Network
Interfaces
Ethernet
and
then select the interface you want to configure for GlobalProtect
LSVPN.
Select
Layer3
from the
Interface
Type
drop-down.
On the
Config
tab, select the
Security
Zone
to which the interface belongs:
The interface must be accessible from a zone outside
of your trust network. Consider creating a dedicated VPN zone for
visibility and control over your VPN traffic.
If you haven’t yet created the zone, select
New Zone
from the
Security Zone
drop-down, define a
Name
for the new zone, and then
click
OK
.
Select the
Virtual Router
to
use.
Assign an IP address to the interface:
For an IPv4 address, select
IPv4
and
Add
the
IP address and network mask to assign to the interface, for example
203.0.11.100/24.
For an IPv6 address, select
IPv6
,
Enable
IPv6 on the interface
, and
Add
the
IP address and network mask to assign to the interface, for example 2001:1890:12f2:11::10.1.8.160/80.
To save the interface configuration, click
OK
.
On the firewall(s) hosting the GlobalProtect gateway(s), configure the logical
tunnel interface that will terminate VPN tunnels established by the
GlobalProtect satellites.
IP addresses is only required on the tunnel interface when you plan to
use dynamic routing. However, assigning an IP address to the tunnel
interface can be useful for troubleshooting connectivity issues.
Make sure to enable User-ID in the zone where the VPN tunnels
terminate.
Select
Network
Interfaces
Tunnel
and click
Add
.
In the
Interface Name
field, specify a numeric
suffix, such as
.2
.
On the
Config
tab, expand the
Security Zone
drop-down to define the zone as
follows:
To use your trust zone as the termination point for the
tunnel, select the zone from the drop-down.
(
Recommended
) To create a separate zone for VPN
tunnel termination, click
New Zone
.
In the Zone dialog, define a
Name
for
xthe new zone (for example lsvpn-tun), select
the
Enable User Identification
check
box, and then click
OK
.
Select the
Virtual Router
.
(
Optional
) To assign an IP address to the tunnel
interface:
For an IPv4 address, select
IPv4
and
Add
the IP address and network
mask to assign to the interface, for example
203.0.11.100/24.
For an IPv6 address, select
IPv6
,
Enable IPv6 on the interface
, and
Add
the IP address and network
mask to assign to the interface, for example
2001:1890:12f2:11::10.1.8.160/80.
To save the interface configuration, click
OK
.
If you created a separate zone for tunnel termination
of VPN connections, create a security policy to enable traffic flow
between the VPN zone and your trust zone.
For example, a policy rule enables traffic between the lsvpn-tun zone
and the L3-Trust zone.