Prepare the Satellite to Join the LSVPN
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
-
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
- PAN-OS 9.1 (EoL)
-
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
-
-
-
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1 (EoL)
Prepare the Satellite to Join the LSVPN
To participate in the LSVPN, the satellites
require a minimal amount of configuration. Because the required
configuration is minimal, you can pre-configure the satellites before
shipping them to your branch offices for installation.
- This is the physical interface that the satellite will use to connect to the portal and the gateway. This interface must be in a zone that allows access outside of the local trust network. As a best practice, create a dedicated zone for VPN connections for visibility and control over traffic destined for the corporate gateways.
- Configure the logical tunnel interface for the tunnel to use to establish VPN tunnels with the GlobalProtect gateways.IP addresses aren’t required on the tunnel interface unless you plan to use dynamic routing. However, assigning an IP address to the tunnel interface can be useful for troubleshooting connectivity issues.
- Selectand clickNetworkInterfacesTunnelAdd.
- In theInterface Namefield, specify a numeric suffix, such as.2.
- On theConfigtab, expand theSecurity Zonedrop-down and select an existing zone or create a separate zone for VPN tunnel traffic by clickingNew Zoneand defining aNamefor the new zone (for example lsvpnsat).
- In theVirtual Routerdrop-down, selectdefault.
- (Optional) To assign an IP address to the tunnel interface:
- For an IPv4 address, selectIPv4andAddthe IP address and network mask to assign to the interface, for example 203.0.11.100/24.
- For an IPv6 address, selectIPv6,Enable IPv6 on the interface, andAddthe IP address and network mask to assign to the interface, for example 2001:1890:12f2:11::10.1.8.160/80.
- To save the interface configuration, clickOK.
- If you generated the portal server certificate using a root CA that isn’t trusted by the satellites (for example, if you used self-signed certificates), import the root CA certificate used to issue the portal server certificate.The root CA certificate is required to enable the satellite to establish the initial connection with the portal to obtain the LSVPN configuration.
- Download the CA certificate that was used to generate the portal server certificates. If you’re using self-signed certificates, export the root CA certificate from the portal as follows:
- Select.DeviceCertificate ManagementCertificatesDevice Certificates
- Select the CA certificate, and clickExport.
- SelectBase64 Encoded Certificate (PEM)from theFile Formatdrop-down and clickOKto download the certificate. (You don’t need to export the private key.)
- Import the root CA certificate that you exported onto each satellite as follows.
- Selectand clickDeviceCertificate ManagementCertificatesDevice CertificatesImport.
- Enter aCertificate Namethat identifies the certificate as your client CA certificate.
- Browseto theCertificate Filethat you downloaded from the CA.
- SelectBase64 Encoded Certificate (PEM)as theFile Formatand then clickOK.
- Select the certificate that you imported on theDevice Certificatestab to open it.
- SelectTrusted Root CAand then clickOK.
- Configure the IPSec tunnel configuration.
- Selectand clickNetworkIPSec TunnelsAdd.
- On theGeneraltab, enter a descriptiveNamefor the IPSec configuration.
- Select theTunnel Interfacethat you created for the satellite.
- SelectGlobalProtect Satelliteas theType.
- Enter the IP address or FQDN of the portal as thePortal Address.
- Select the Layer 3Interfaceyou configured for the satellite.
- Select theIP Addressto use on the selected interface. You can select anIPv4address, anIPv6address, or both. Specify if you wantIPv6 preferred for portal registration.
- (Optional) Configure the satellite to publish local routes to the gateway.Pushing routes to the gateway enables traffic to the subnets local to the satellite via the gateway. However, you must also configure the gateway to accept the routes as detailed in Configure GlobalProtect Gateways for LSVPN.
- To enable the satellite to push routes to the gateway, on theAdvancedtab selectPublish all static and connected routes to Gateway.If you select this check box, the firewall will forward all static and connected routes from the satellite to the gateway. However, to prevent the creation of routing loops, the firewall will apply some route filters, such as the following:
- Default routes
- Routes within a virtual router other than the virtual router associated with the tunnel interface
- Routes using the tunnel interface
- Routes using the physical interface associated with the tunnel interface
- (Optional) If you only want to push routes for specific subnets rather than all routes, clickAddin the Subnet section and specify which subnet routes to publish.
- Save the satellite configuration.
- ClickOKto save the IPSec tunnel settings.
- ClickCommit.
- If required, provide the credentials to allow the satellite to authenticate to the portal.To authenticate to the portal for the first time, the satellite administrator must provide the username and password associated with the satellite admin account in the local database.
- Selectand click theNetworkIPSec TunnelsGateway Infolink in the Status column of the tunnel configuration you created for the LSVPN.
- Click theenter credentialslink in thePortal Statusfield and provide the username and password to authenticate the satellite to the portal.After the portal successfully authenticates to the portal, it will receive its signed certificate and configuration, which it will use to connect to the gateway(s). You should see that the tunnel is established and theStatusis changed toActive.