Large Scale VPN (LSVPN) Fundamentals

The GlobalProtect Large Scale VPN (LSVPN) feature on the Palo Alto Networks Next-Generation Firewall simplifies the deployment of traditional hub and spoke VPNs, enabling you to deploy enterprise networks with several branch offices quickly with a minimum amount of configuration required on the remote satellites . This solution uses certificates for firewall authentication and IPSec to secure data.

LSVPN enables site-to-site VPNs between Palo Alto Networks firewalls. To set up a site-to-site VPN between a Palo Alto Networks firewall and another device, see VPNs. The LSVPN doesn’t require a GlobalProtect subscription.

LSVPN is designed for Palo Alto Networks firewalls acting as hub (Gateway) and spokes (Satellites).

A GlobalProtect subscription is NOT required for LSVPN functionality.

The following topics describe the LSVPN components and how to set them up to enable site-tosite VPN services between Palo Alto Networks firewalls:

LSVPN Overview

GlobalProtect provides a complete infrastructure for managing secure access to corporate resources from your remote sites. This infrastructure includes the following components:

Portal: Manages configuration for Satellites.

Gateway: Hub device, terminates IPSec tunnels from Satellites.

Satellite: Spoke device at remote site, connects to Gateways.

A single firewall can act as both Portal and Gateway. This is a common deployment for smaller setups.

The following diagram illustrates how the GlobalProtect LSVPN components work together.

LSVPN Component Interaction Flow.

Create Interfaces and Zones for the LSVPN

Configure the following interfaces and zones for your LSVPN infrastructure:

Gateway Tunnel Interface: A single logical tunnel interface on the Gateway can terminate connections from multiple Satellites (point-to-multipoint).

Tunnel IP Address: Required for dynamic routing, optional but useful for troubleshooting otherwise.

User-ID should be enabled on the zone where VPN tunnels terminate on the Gateway for visibility.

For more information about portals, gateways, and satellites see LSVPN Overview.

STEP 1 | Configure a Layer 3 interface.

The portal and each gateway and satellite all require a Layer 3 interface to enable traffic to be routed between sites.

If the gateway and portal are on the same firewall, you can use a single interface for both components.

  1. Select Network > Interfaces > Ethernet and then select the interface you want to configure for GlobalProtect LSVPN.

  2. Select Layer3 from the Interface Type drop-down.

  3. On the Config tab, select the Security Zone to which the interface belongs:

    • The interface must be accessible from a zone outside of your trust network. Consider creating a dedicated VPN zone for visibility and control over your VPN traffic.

    • If you haven’t yet created the zone, select New Zone from the Security Zone dropdown, define a Name for the new zone, and then click OK .

  4. Select the Virtual Router to use.

  5. Assign an IP address to the interface:

    • For an IPv4 address, select IPv4 and Add the IP address and network mask to assign to the interface, for example 203.0.11.100/24.

    • For an IPv6 address, select IPv6 , Enable IPv6 on the interface , and Add the IP address and network mask to assign to the interface, for example 2001:1890:12f2:11::10.1.8.160/80.

  6. To save the interface configuration, click OK .

STEP 2 | On the firewall(s) hosting the GlobalProtect gateway(s), configure the logical tunnel interface that will terminate VPN tunnels established by the GlobalProtect satellites.

  1. Select Network > Interfaces > Tunnel and click Add .

  2. In the Interface Name field, specify a numeric suffix, such as .2 .

  3. On the Config tab, expand the Security Zone drop-down to define the zone as follows:

    • To use your trust zone as the termination point for the tunnel, select the zone from the drop-down.

    • (Recommended) To create a separate zone for VPN tunnel termination, click New Zone . In the Zone dialog, define a Name for the new zone (for example lsvpn-tun ), select the Enable User Identification check box, and then click OK .

  4. Select the Virtual Router .

  5. (Optional) To assign an IP address to the tunnel interface:

    • For an IPv4 address, select IPv4 and Add the IP address and network mask to assign to the interface, for example 203.0.11.100/24.

    • For an IPv6 address, select IPv6 , Enable IPv6 on the interface , and Add the IP address and network mask to assign to the interface, for example 2001:1890:12f2:11::10.1.8.160/80.

  6. To save the interface configuration, click OK .

STEP 3 | If you created a separate zone for tunnel termination of VPN connections, create a security policy to enable traffic flow between the VPN zone and your trust zone.

For example, a policy rule enables traffic between the lsvpn-tun zone and the L3-Trust zone.

STEP 4 | Commit your changes.

Click Commit .

Enable SSL Between GlobalProtect LSVPN Components

All interaction between the GlobalProtect components occurs over an SSL/TLS connection. Therefore, you must generate and/or install the required certificates before configuring each component so that you can reference the appropriate certificate(s) and/or certificate profiles in the configurations for each component.

SSL/TLS is fundamental for communication between Portal, Gateways, and Satellites.

Certificates are used for mutual authentication.

About Certificate Deployment

There are two basic approaches to deploying certificates for GlobalProtect LSVPN:

When using self-signed certificates, ensure the Root CA certificate is trusted by all LSVPN components (Portal, Gateways, Satellites). Satellites need to trust the Portal's server certificate issuer, and Gateways/Satellites need to trust each other's certificate issuers.

Deploy Server Certificates to the GlobalProtect LSVPN Components

The GlobalProtect LSVPN components use SSL/TLS to authenticate mutually. Before deploying the LSVPN, you must assign an SSL/TLS service profile to each portal and gateway. The profile specifies the server certificate and allowed TLS versions for communication with satellites. You don’t need to create SSL/TLS service profiles for the satellites because the portal will issue a server certificate for each satellite during the first connection as part of the satellite registration process.

In addition, you must import the root certificate authority (CA) certificate used to issue the server certificates onto each firewall that you plan to host as a gateway or satellite. Finally, on each gateway and satellite participating in the LSVPN, you must configure a certificate profile that will enable them to establish an SSL/TLS connection using mutual authentication.

The following workflow shows the best practice steps for deploying SSL certificates to the GlobalProtect LSVPN components:

STEP 1 | On the firewall hosting the GlobalProtect portal, create the root CA certificate for signing the certificates of the GlobalProtect components.

Create a Self-Signed Root CA Certificate:

  1. Select Device > Certificate Management > Certificates , then Device Certificates . Select Generate .

  2. Enter a Certificate Name , such as LSVPN_CA .

  3. Don’t select a value in the Signed By field (this is what indicates that it’s self-signed).

  4. Select the Certificate Authority check box and then click OK to generate the certificate.

STEP 2 | Create SSL/TLS service profiles for the GlobalProtect portal and gateways.

For the portal and each gateway, you must assign an SSL/TLS service profile that references a unique self-signed server certificate.

  1. Use the root CA on the portal to Generate a Certificate for each gateway that you’ll deploy:

    1. Select Device > Certificate Management > Certificates , then Device Certificates . Select Generate .

    2. Enter a Certificate Name .

    3. Enter the FQDN (recommended) or IP address of the interface where you plan to configure the gateway in the Common Name field.

    4. In the Signed By field, select the LSVPN_CA certificate you created.

    5. In the Certificate Attributes section, click Add and define the attributes to identify the gateway uniquely. If you add a Host Name attribute (which populates the SAN field of the certificate), it must exactly match the value you defined for the Common Name .

    6. Generate the certificate.

  2. Configure an SSL/TLS Service Profile for the portal and each gateway:

    1. Select Device > Certificate Management > SSL/TLS Service Profile and click Add .

    2. Enter a Name to identify the profile and select the server Certificate you created for the portal or gateway.

    3. Define the range of TLS versions ( Min Version to Max Version ) allowed for communicating with satellites and click OK .

STEP 3 | Deploy the self-signed server certificates to the gateways.

Best Practices for Server Certificates:

  • Export server certificates from the portal (if generated there) and import them onto gateways.
  • Issue a unique server certificate for each gateway.
  • The Common Name (CN) and Subject Alternative Name (SAN) fields must match the gateway's IP address or FQDN.

  1. On the portal, select Device > Certificate Management > Certificates , then Device Certificates . Select the gateway certificate you want to deploy, and click Export .

  2. Select Encrypted Private Key and Certificate (PKCS12) from the File Format drop-down.

  3. Enter (and re-enter) a Passphrase to encrypt the private key associated with the certificate and then click OK to download the PKCS12 file to your computer.

  4. On the gateway, select Device > Certificate Management > Certificates , then Device Certificates . Select Import .

  5. Enter a Certificate Name .

  6. Enter the path and name to the Certificate File that you downloaded from the portal, or Browse to find the file.

  7. Select Encrypted Private Key and Certificate (PKCS12) as the File Format .

  8. Enter the path and name to the PKCS12 file in the Key File field or Browse to find it.

  9. Enter and re-enter the Passphrase you used to encrypt the private key when you exported it from the portal and then click OK to import the certificate and key.

STEP 4 | Import the root CA certificate used to issue server certificates for the LSVPN components.

Import the root CA certificate onto all gateways and satellites. For security reasons, make sure you export the certificate only, and not the associated private key.

  1. Download the root CA certificate from the portal.

    1. Select Device > Certificate Management > Certificates , then Device Certificates .

    2. Select the root CA certificate used to issue certificates for the LSVPN components and click Export .

    3. Select Base64 Encoded Certificate (PEM) from the File Format drop-down and click OK to download the certificate. (Do not export the private key.)

  2. On the firewalls hosting the gateways and satellites, import the root CA certificate.

    1. Select Device > Certificate Management > Certificates , then Device Certificates . Select Import .

    2. Enter a Certificate Name that identifies the certificate as your client CA certificate.

    3. Browse to the Certificate File you downloaded from the CA.

    4. Select Base64 Encoded Certificate (PEM) as the File Format and then click OK .

    5. Select the certificate you imported on the Device Certificates tab to open it.

    6. Select Trusted Root CA and then click OK .

    7. Commit the changes.

STEP 5 | Create a Certificate Profile.

The GlobalProtect LSVPN portal and each gateway require a Certificate Profile that specifies which certificate to use to authenticate the satellites.

  1. Select Device > Certificate Management > Certificate Profile and click Add and enter a profile Name .

  2. Make sure that the Username Field is set to None .

  3. In the CA Certificates field, click Add , select the trusted root CA certificate you imported in the previous step.

  4. (Recommended) Enable use of CRL and/or OCSP to enable certificate status verification.

  5. Click OK to save the profile.

STEP 6 | Commit your changes.

Click Commit .

Deploy Client Certificates to the GlobalProtect Satellites Using SCEP

As an alternative method for deploying client certificates to satellites, you can configure your GlobalProtect portal to act as a Simple Certificate Enrollment Protocol (SCEP) client to a SCEP server in your enterprise PKI. SCEP operation is dynamic in that the enterprise PKI generates a certificate when the portal requests it and sends the certificate to the portal.

When the satellite device requests a connection to the portal or gateway, it also includes its serial number with the connection request. The portal submits a CSR to the SCEP server using the settings in the SCEP profile and automatically includes the serial number of the device in the subject of the client certificate. After receiving the client certificate from the enterprise PKI, the portal transparently deploys the client certificate to the satellite device. The satellite device then presents the client certificate to the portal or gateway for authentication.

STEP 1 | Create a SCEP profile.

  1. Select Device > Certificate Management > SCEP and then Add a new profile.

  2. Enter a Name to identify the SCEP profile.

  3. If this profile is for a firewall with multiple virtual systems capability, select a virtual system or Shared as the Location where the profile is available.

STEP 2 | (Optional) To make the SCEP-based certificate generation more secure, configure a SCEP challenge-response mechanism between the PKI and portal for each certificate request.

After you configure this mechanism, its operation is invisible, and no further input from you is necessary.

To comply with the U.S. Federal Information Processing Standard (FIPS), use a Dynamic SCEP challenge and specify a Server URL that uses HTTPS (see step 7).

Select one of the following options:

STEP 3 | Specify the settings for the connection between the SCEP server and the portal to enable the portal to request and receive client certificates.

To identify the satellite, the portal automatically includes the device serial number in the CSR request to the SCEP server. Because the SCEP profile requires a value in the Subject field, you can leave the default $USERNAME token even though the value isn’t used in client certificates for LSVPN.

  1. Configure the Server URL that the portal uses to reach the SCEP server in the PKI (for example, http://10.200.101.1/certsrv/mscep/ ).

  2. Enter a string (up to 255 characters in length) in the CA-IDENT Name field to identify the SCEP server.

  3. Select the Subject Alternative Name Type :

    • RFC 822 Name —Enter the email name in a certificate’s subject or Subject Alternative Name extension.

    • DNS Name —Enter the DNS name used to evaluate certificates.

    • Uniform Resource Identifier —Enter the name of the resource from which the client will obtain the certificate.

    • None —Don’t specify attributes for the certificate.

STEP 4 | (Optional) Configure cryptographic settings for the certificate.

STEP 5 | (Optional) Configure the permitted uses of the certificate, either for signing or encryption.

STEP 6 | (Optional) To ensure that the portal is connecting to the correct SCEP server, enter the CA Certificate Fingerprint . Obtain this fingerprint from the SCEP server interface in the Thumbprint field.

  1. Enter the URL for the SCEP server’s administrative UI (for example, http:// <hostname or IP>/CertSrv/mscep_admin/ ).

  2. Copy the thumbprint and enter it in the CA Certificate Fingerprint field.

STEP 7 | Enable mutual SSL authentication between the SCEP server and the GlobalProtect portal. This is required to comply with the U.S. Federal Information Processing Standard (FIPS).

Select the SCEP server’s root CA Certificate . Optionally, you can enable mutual SSL authentication between the SCEP server and the GlobalProtect portal by selecting a Client Certificate .

STEP 8 | Save and commit the configuration.

  1. Click OK to save the settings and close the SCEP configuration.

  2. Commit the configuration.

The portal attempts to request a CA certificate using the settings in the SCEP profile and saves it to the firewall hosting the portal. If successful, the CA certificate is shown in Device > Certificate Management > Certificates .

STEP 9 | (Optional) If after saving the SCEP profile, the portal fails to obtain the certificate, you can manually generate a certificate signing request (CSR) from the portal.

  1. Select Device > Certificate Management > Certificates , then Device Certificates . Select Generate .

  2. Enter a Certificate Name . This name can’t contain spaces.

  3. Select the SCEP Profile to use to submit a CSR to your enterprise PKI.

  4. Click OK to submit the request and generate the certificate.

Configure the Portal to Authenticate Satellites

To register with the LSVPN, each satellite must establish an SSL/TLS connection with the portal. After establishing the connection, the portal authenticates the satellite to ensure that is authorized to join the LSVPN. After successfully authenticating the satellite, the portal will issue a server certificate for the satellite and push the LSVPN configuration specifying the gateways to which the satellite can connect and the root CA certificate required to establish an SSL connection with the gateways.

There are multiple ways that the satellite can authenticate to the portal during its initial connection:

Understand the different satellite authentication methods based on PAN-OS versions.

Default method in PAN-OS 10.1+ is Username/Password + Satellite Cookie.

Satellite cookie has a default lifetime (e.g., 6 months), configurable in later PAN-OS versions. Expired cookies require manual re-authentication.

PAN-OS releases support the following authentication methods:

PAN-OS RELEASE SUPPORTED AUTHENTICATION METHOD
PAN-OS 10.0 and earlier releases Serial number Authentication method
PAN-OS 10.1 and later releases Username/password and Satellite Cookie Authentication method (Default authentication method)
PAN-OS RELEASE SUPPORTED AUTHENTICATION METHOD

While configuring the Username/ password and Satellite Cookie Authentication method, configure the satellite cookie expiration to a value more than the satellite upgrade time to avoid login failures.

PAN-OS 11.1.3 and later releases

  • Username/password and Satellite Cookie Authentication method (Default authentication method)

  • Serial number and IP address Authentication method

Before upgrading or downgrading to a particular PAN-OS release, be aware of the authentication methods supported.

Refer to Upgrade and Downgrade Considerations to learn about the authentication method supported when you upgrade or downgrade the firewall from one PAN-OS release to another.

(PAN-OS 11.0.1 and later releases) You can configure the cookie expiry period from 1 to 5 years, while the default remains as 6 months.

On the portal:

On the satellite:

Username/Password and Satellite Cookie Authentication (Default Authentication Method)

For authenticating the satellite to the portal, GlobalProtect LSVPN supports only local database authentication.

Satellite Authentication Flow with Cookie
Satellite Authentication Flow: Initial Username/Password, subsequent Cookie-based.

The following workflow describes how to set up the portal to authenticate satellites against an existing authentication service.

STEP 1 |

Set up local database authentication so that the satellite administrator can authenticate the satellite to the portal.

  1. Select Device > Local User Database > Users and Add the user account to the local database.

  2. Add the user account to the local database.

STEP 2 |

Configure an authentication profile.

  1. Select Device > Authentication Profile > Add .

  2. Enter a Name for the profile and then set the Type to Local Database .

  3. Click OK and Commit your changes.

STEP 3 | Authenticate the satellite.

To authenticate the satellite to the portal, the satellite administrator must provide the username and password configured in the local database.

  1. Select Network > IPSec Tunnels and click the Gateway Info link in the Status column of the tunnel configuration you created for the LSVPN.

  2. Click the enter credentials link in the Portal Status field and provide the username and password to authenticate the satellite to the portal.

After the portal successfully authenticates to the portal for the first time, the portal generates a satellite cookie, which it uses to authenticate the satellite on subsequent sessions.

Serial Number and IP Address Authentication Method

(PAN-OS 11.1.3 and later releases) The Serial number and IP address Authentication method will be established successfully only when you configure the necessary parameters correctly and in the correct order.

The following table provides you with the details on how your parameter settings impact the establishment of Serial number and IP address authentication:

Serial Number and IP Address

Authentication

Method

Configured retry-interval (Default is 5 seconds) Serial Number IP Address in Allow List Satellite Cookie Established Authentication Method
Enabled The retryinterval value is greater than or equal to 5 Registered Allowed Will not be checked Serial number and IP address Authentication method will be established successfully.
Enabled The retryinterval value is greater than or equal to 5 Registered Not Allowed Will not be checked Fails to establish Serial number and IP address Authentication.
Enabled The retryinterval value is greater than or equal to 5 Not Registered Will not be checked Will not be checked Fails to establish Serial number and IP address Authentication.
Disabled The retryinterval will not be checked Will not be checked Will not be checked Default behavior The default authentication method, Username/ password and Satellite Cookie Authentication method will be established successfully.

The satellite initiates a connection to the portal upon successful configuration of the satellite serial number registered and the satellite device IP address in the satellite IP allow list on the portal. You should also ensure that the portal is running PAN-OS 11.1.3 or later versions before configuring Serial number and IP address Authentication on the portal.

In the LSVPN serial number and IP address authentication method, PAN-OS stores the configuration changes in the database internally. Therefore, the latest saved configuration is applied when you upgrade to or downgrade from this feature.

Use the following workflow to authenticate the satellite using the Serial number and IP address Authentication method.

STEP 1 | Log in to the portal web interface and select Network > GlobalProtect > Portals > GlobalProtect Portal > Satellite Configuration > GlobalProtect Satellite > Devices to add a new satellite serial number to the GlobalProtect portal. Commit the configuration.

STEP 2 | Access the CLI.

STEP 3 | Follow the below steps in the same order to configure the parameters related to Serial number and IP address Authentication on a firewall configured as a GlobalProtect portal. Otherwise, the satellite authentication might fail and an administrator's intervention is required to enter the username and password on the satellite.

1. Enter the following operational command per portal to add a satellite device IP address on the GlobalProtect portal.

Configure a specific IP address, subnet, or a range to add one or more satellite devices. Both IPv4 and IPv6 addresses are supported.

username@hostname> set global-protect global-protect-portal portal <portal_name> satellite-serialnumberip-auth satelliteip-allowlist entry <value>

Where <value> is the IPv4 address, IPv6 address, IP range, or IP subnet of the satellite device that you want to add.

For example:

username@hostname> set global-protect global-protect-portal portal gp-portal-1 satellite-serialnumberip-auth satelliteip-allowlist entry 192.0.2.0-192.0.2.100

You can also exclude a specific range of IP address from the satellite-ip-allowlist that you don't wish to configure as a satellite. To do this, use the following command:

username@hostname> set global-protect global-protect-portal portal <portal_name> satellite-serialnumberip-auth satelliteip-exclude-from range <ip-address> exclude-list <value>

Where satellite-ip-exclude-from range <ip-address> is the IPv4 or IPv6 subnet or range of the IP address that you want to exclude from configuring as a satellite device. The IP address that you want to exclude must be within the IP address range that you configured in the satellite-ip-allowlist .

For example:

username@hostname> set global-protect global-protectportal portal gp-portal-1 satellite-serialnumberip-auth satellite-ip-exclude-from range 192.0.2.0-192.0.2.100 exclude-list 192.0.2.20-192.0.2.30

We support the following IP4 and IPv6 address formats to configure the satellite-ipallowlist .

Table 11: Supported IPv4 and IPv6 Address Formats

IP Address Format IPv4 Address IPv6 Address
A specific IP address

x.x.x.x

For example:

192.0.2.0

For example:

2001:db8::

IP address subnet

x.x.x.x/x

For example:

192.0.2.0/24

y

For example:

2001:db8::/32

IP address range x.x.x.x-x.x.x.x For example:

xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx

xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx/ xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxxxxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx

IP Address Format IPv4 Address IPv6 Address
192.0.2.10-192.0.2.20

(HA deployments only) The added satellite IP address list is synchronized among the HA peers.

  • Ensure that Enable Config Sync (select Device > High Availability > General ) is enabled on your HA configuration to configure the Serial number and IP address Authentication method. This setting is required to synchronize the two firewall configurations (that is enabled by default).
  • You must add the satellite device serial number first that allows the portal to select the correct satellite configuration.
  • If the satellite devices in the HA pair use different IP addresses, then configure both the IP addresses in the satellite IP allow list on the portal.

  1. Enter the following operational command per portal to configure a retry interval for the serial number and IP address authentication in case of failure in establishing the authentication method.

username@hostname> set global-protect global-protectportal portal <name> satellite-serialnumberip-auth retryinterval <value>

The retry interval range is 5 to 86,400 seconds and the default value is 5 seconds.

For example:

username@hostname> set global-protect global-protect-portal portal gp-portal-1 satellite-serialnumberip-auth retryinterval 100

(HA deployments only) The authentication retry interval is synchronized among the HA peers.

  1. Enter the following operational command to enable the serial number and IP address authentication method on the firewall where you want to enable the Serial number and IP address Authentication method.

username@hostname> set global-protect satelliteserialnumberip-auth enable

The serial number and IP address authentication method is disabled by default.

When the Serial number and IP address Authentication is enabled and if the satellite authentication fails, then based on the retry interval, the satellite will retry the authentication process again. There is no fall back mechanism available to support Username/Password and Satellite Cookie based authentication in case of failure in configuring the Serial number and IP address Authentication method.

If attempting to enable the Serial number and IP address Authentication method results in failure, check for the following:

Enter any random username and password (or just press enter) in the pop-up dialog on the satellite to retrigger the authentication process in the following cases:

(HA deployments only) The serial number and IP address authentication method that is enabled is synchronized among the HA peers.

STEP 4 | (Optional) Use the following operational commands to disable, delete, or view information about the serial number and IP address authentication method.

  1. Enter the following command to disable the serial number and IP address authentication method on the firewall.

username@hostname> set global-protect satelliteserialnumberip-auth disable

(HA deployments only) The serial number and IP address authentication method that is disabled is synchronized among the HA peers.

  1. Enter the following command to view all the information related to the serial number and IP address authentication method on the portal.

username@hostname> show global-protect-portal global-protectportal portal <name> satellite-serialnumberip-auth all

  1. Enter the following command to view if the serial number and IP address authentication method is enabled or disabled on the firewall configured as a portal.

username@hostname> show global-protect-portal satelliteserialnumberip-auth status

  1. Enter the following command per portal to view the serial number and IP address retry interval.

username@hostname> show global-protect-portal global-protectportal portal <name> satellite-serialnumberip-auth retryinterval

  1. Enter the following command per portal to view all the configured allowed satellite device IP addresses.

This command displays both the IPv4 and IPv6 addresses that you have configured as a satellite IP allowed list in a sorted order.

username@hostname> show global-protect-portal global-protectportal portal <name> satellite-serialnumberip-auth satelliteip-allowlist

  1. Enter the following command per portal to delete a satellite device IP address from the satellite IP allow list.

username@hostname> delete global-protect global-protect-portal portal <portal_name> satellite-ip-list allowlist-entry ipaddress <value>

Where <value> is the IPv4 address, IPv6 address, IP address range, or IP address subnet of the satellite device you want to delete.

(HA deployments only) The deleted satellite devices IP address from the satellite IP allow list is synchronized among the HA peers.

  1. Enter the following command per portal to delete a satellite device IP address from the satellite IP exclude list. You can delete only the entries that are added in the IP address exclude list. By deleting the entries from the exclude list, you are allowing these IP addresses to be configured in the satellite IP allow list.

username@hostname> delete global-protect global-protect-portal portal <portal_name> satellite-ip-list excludelist-entry ip <value>

Where <value> is the IPv4 address, IPv6 address, IP address range, or IP address subnet of the satellite device you want to delete from the exclude list entry.

(HA deployments only) The deleted satellite devices IP address from the satellite IP exclude list is synchronized among the HA peers.

  1. Enter the following command per portal to delete all the satellite devices IP address from the satellite IP allow list.

username@hostname> delete global-protect global-protect-portal portal <name> satellite-ip-list satellite-ip-allowlist-all

(HA deployments only) The deleted satellite IP address list is synchronized among the HA peers.

Configure GlobalProtect Gateways for LSVPN

Because the GlobalProtect configuration that the portal delivers to the satellites includes the list of gateways the satellite can connect to, it’s a good idea to configure the gateways before configuring the portal.

Before you can configure the GlobalProtect gateway, you must complete the following tasks:

Configure each GlobalProtect gateway to participate in the LSVPN as follows:

STEP 1 | Add a gateway.

  1. Select Network > GlobalProtect > Gateways and click Add .

  2. In the General screen, enter a Name for the gateway. The gateway name should have no spaces and, as a best practice, should include the location or other descriptive information to help users and administrators identify the gateway.

  3. (Optional) Select the virtual system to which this gateway belongs from the Location field.

STEP 2 | Specify the network information that enables satellite devices to connect to the gateway.

If you haven’t created the network interface for the gateway, see Create Interfaces and Zones for the LSVPN for instructions.

  1. Select the Interface that satellites will use for ingress access to the gateway.

  2. Specify the IP Address Type and IP address for gateway access:

    • The IP address type can be IPv4 (only), IPv6 (only), or IPv4 and IPv6 . Use IPv4 and IPv6 if your network supports dual stack configurations, where IPv4 and IPv6 run at the same time.

    • The IP address must be compatible with the IP address type. For example, 172.16.1/0 for IPv4 addresses or 21DA:D3:0:2F3B for IPv6 addresses. For dual stack configurations, enter both an IPv4 and IPv6 address.

  3. Click OK to save changes.

STEP 3 | Specify how the gateway authenticates satellites attempting to establish tunnels. If you haven’t yet created an SSL/TLS Service Profile for the gateway, see Deploy Server Certificates to the GlobalProtect LSVPN Components.

If you haven’t set up the authentication profiles or certificate profiles, see Configure the Portal to Authenticate Satellites for instructions.

If you have not yet set up the certificate profile, see Enable SSL Between GlobalProtect LSVPN Components for instructions.

On the GlobalProtect Gateway configuration dialog, select Authentication and then configure any of the following:

STEP 4 | Configure the tunnel parameters and enable tunneling.

  1. On the GlobalProtect Gateway configuration dialog, select Satellite > Tunnel Settings .

  2. Select the Tunnel Configuration check box to enable tunneling.

  3. Select the Tunnel Interface that you defined to terminate VPN tunnels established by the GlobalProtect satellites when you performed the task to Create Interfaces and Zones for the LSVPN.

  4. (Optional) If you want to preserve the Type of Service (ToS) information in the encapsulated packets, select Copy TOS .

    If there are multiple sessions inside the tunnel (each with a different ToS value), copying the ToS header can cause the IPSec packets to arrive out of order.

STEP 5 | (Optional) Enable tunnel monitoring.

Tunnel monitoring enables satellites to monitor its gateway tunnel connection, allowing it to failover to a backup gateway if the connection fails. Failover to another gateway is the only type of tunnel monitoring profile supported with LSVPN.

  1. Select the Tunnel Monitoring check box.

  2. Specify the Destination IP Address that the satellites should use to determine if the gateway is active. You can specify an IPv4 address, and IPv6 address, or both. Alternatively, if you configured an IP address for the tunnel interface, you can leave this field blank and the tunnel monitor will instead use the tunnel interface to determine if the connection is active.

  3. Select Failover from the Tunnel Monitor Profile drop-down (this is the only supported tunnel monitor profile for LSVPN).

STEP 6 | Select the IPSec Crypto profile to use when establishing tunnel connections.

The profile specifies the type of IPSec encryption and the authentication method for securing the data that will traverse the tunnel. Because both tunnel endpoints in an LSVPN are trusted firewalls within your organization, you can typically use the default (predefined) profile, which uses ESP as the IPSec protocol, group2 for the DH group, AES-128-CBC for encryption, and SHA-1 for authentication.

In the IPSec Crypto Profile drop-down, select default to use the predefined profile or select New IPSec Crypto Profile to define a new profile.

STEP 7 | Configure the network settings to assign the satellites during establishment of the IPSec tunnel.

  1. On the GlobalProtect Gateway configuration dialog, select Satellite > Network Settings .

  2. (Optional) If clients local to the satellite need to resolve FQDNs on the corporate network, configure the gateway to push DNS settings to the satellites in one of the following ways:

    • If the gateway has an interface that is configured as a DHCP client, you can set the

Inheritance Source to that interface and assign the same settings received by the DHCP client to GlobalProtect satellites. You can also inherit the DNS suffix from the same source.

  1. To specify the IP Pool of addresses to assign the tunnel interface on the satellites when the VPN is established, click Add and then specify the IP address range(s) to use.

  2. To define what destination subnets to route through the tunnel click Add in the Access Route area and then enter the routes as follows:

    • If you want to route all traffic from the satellites through the tunnel, leave this field blank.

    If Access Route is left blank on the Gateway, all traffic from the Satellite (except local subnet traffic) will be tunneled. This effectively creates a default route for the Satellite through the Gateway.

STEP 8 | (Optional) Define what routes, if any, the gateway will accept from satellites.

By default, the gateway won’t add any routes that the satellites advertise to its routing table. If you don’t want the gateway to accept routes from satellites, you don’t need to complete this step.

  1. To enable the gateway to accept routes advertised by satellites, select Satellite > Route Filter .

  2. Select the Accept published routes check box.

  3. To filter which of the routes advertised by the satellites to add to the gateway routing table, click Add and then define the subnets to include. For example, if all the satellites are configured with subnet 192.168.x.0/24 on the LAN side, configuring a permitted route of 192.168.0.0/16 to enable the gateway to accept only routes from the satellite if it is in the 192.168.0.0/16 subnet.

STEP 9 | Save the gateway configuration.

  1. Click OK to save the settings and close the GlobalProtect Gateway configuration dialog.

  2. Commit the configuration.

Configure the GlobalProtect Portal for LSVPN

The GlobalProtect portal provides the management functions for your GlobalProtect LSVPN. Every satellite system that participates in the LSVPN receives configuration information from the portal, including information about available gateways as well as the certificate it needs in order to connect to the gateways.

GlobalProtect Portal for LSVPN Prerequisite Tasks

Before configuring the GlobalProtect portal, you must complete the following tasks:

Configure the Portal

After you’ve completed the GlobalProtect Portal for LSVPN Prerequisite Tasks, configure the GlobalProtect portal as follows:

STEP 1 | Add the portal.

  1. Select Network > GlobalProtect > Portals and click Add .

  2. On the General tab, enter a Name for the portal. The portal name shouldn’t contain any spaces.

  3. (Optional) Select the virtual system to which this portal belongs from the Location field.

STEP 2 | Specify the network information to enable satellites to connect to the portal.

If you haven’t yet created the network interface for the portal, see Create Interfaces and Zones for the LSVPN for instructions.

  1. Select the Interface that satellites will use for ingress access to the portal.

  2. Specify the IP Address Type and IP address for satellite access to the portal:

    • The IP address type can be IPv4 (for IPv4 traffic only), IPv6 (for IPv6 traffic only, or IPv4 and IPv6 . Use IPv4 and IPv6 if your network supports dual stack configurations, where IPv4 and IPv6 run at the same time.

    • The IP address must be compatible with the IP address type. For example, 172.16.1/0 for IPv4 addresses or 21DA:D3:0:2F3B for IPv6 addresses. For dual stack configurations, enter both an IPv4 and IPv6 address.

  3. Click OK to save changes.

STEP 3 | Specify an SSL/TLS Service Profile to use to enable the satellite to establish an SSL/TLS connection to the portal.

If you haven’t yet created an SSL/TLS Service Profile for the portal and issued gateway certificates, see Deploy Server Certificates to the GlobalProtect LSVPN Components.

  1. On the GlobalProtect portal configuration dialog, select Authentication .

  2. Select the SSL/TLS Service Profile .

STEP 4 | Specify an authentication profile and optional Certificate Profile for authenticating satellites.

The first time a Satellite connects to the Portal, it typically uses local database authentication (Username/Password). Subsequent connections use a satellite cookie issued by the Portal.

Add a Client Authentication, and then enter a Name to identify the configuration, select OS : Satellite to apply the configuration to all satellites, and specify the Authentication Profile to use to authenticate satellite devices. You can also specify a Certificate Profile for the portal to use to authenticate satellite devices.

STEP 5 | Continue with defining the configurations to push to the satellites or, if you’ve already created the satellite configurations, save the portal configuration.

Click OK to save the portal configuration or continue to Define the Satellite Configurations.

Define the Satellite Configurations

When a GlobalProtect satellite connects and successfully authenticates to the GlobalProtect portal, the portal delivers a satellite configuration, which specifies what gateways the satellite can connect to. If all your satellites will use the same gateway and certificate configurations, you can create a single satellite configuration to deliver to all satellites upon successful authentication. However, if you require different satellite configurations—for example if you want one group of satellites to connect to one gateway and another group of satellites to connect to a different gateway—you can create a separate satellite configuration for each. The portal will then use the enrollment username/group name or the serial number of the satellite to determine which satellite configuration to deploy. As with security rule evaluation, the portal looks for a match starting from the top of the list. When it finds a match, it delivers the corresponding configuration to the satellite.

For example, the following figure shows a network in which some branch offices require VPN access to the corporate applications protected by your perimeter firewalls and another site needs VPN access to the data center.

LSVPN with Multiple Satellite Configurations
LSVPN network with different satellite configurations for varied access needs.

Use the following procedure to create one or more satellite configurations.

STEP 1 | Add a satellite configuration.

The satellite configuration specifies the GlobalProtect LSVPN configuration settings to deploy to the connecting satellites. You must define at least one satellite configuration.

  1. Select Network > GlobalProtect > Portals and select the portal configuration for which you want to add a satellite configuration and then select the Satellite tab.

  2. In the Satellite section, click Add .

  3. Enter a Name for the configuration.

    If you plan to create multiple configurations, make sure that the name you define for each is descriptive enough to allow you to distinguish them.

  4. To change how often a satellite should check the portal for configuration updates, specify a value in the Configuration Refresh Interval (hours) field (range is 1-48; default is 24).

STEP 2 | Specify the satellites to which to deploy this configuration.

Portal matches Satellites to configurations based on Enrollment User/Group or Device Serial Numbers. Order matters: more specific configurations must precede general ones.

Specify the match criteria for the satellite configuration as follows:

STEP 3 | Specify the gateways that satellites with this configuration can establish VPN tunnels with.

Routes published by the gateway are installed on the satellite as static routes. The metric for the static route is 10x the routing priority. Ensure routing priorities are set correctly if using multiple gateways to control preference.

  1. On the Gateways tab, click Add .

  2. Enter a descriptive Name for the gateway. The name you enter here should match the name you defined when you configured the gateway and should be descriptive enough identify the location of the gateway.

  3. Enter the FQDN or IP address of the interface where the gateway is configured in the Gateways field. The address you specify must exactly match the Common Name (CN) in the gateway server certificate.

  4. (Optional) If you’re adding two or more gateways to the configuration, the Routing Priority helps the satellite pick the preferred gateway. Enter a value in the range of 1-25, with lower numbers having the higher priority (that is, the gateway the satellite will connect to if all gateways are available). The satellite will multiply the routing priority by 10 to determine the routing metric.

STEP 4 | Save the satellite configuration.

  1. Click OK to save the satellite configuration.

  2. If you want to add another satellite configuration, repeat the previous steps.

STEP 5 | Arrange the satellite configurations so that the proper configuration is deployed to each satellite.

STEP 6 | Specify the certificates required to enable satellites to participate in the LSVPN.

  1. In the Trusted Root CA field, click Add and then select the CA certificate used to issue the gateway server certificates. The portal will deploy the root CA certificate you add here to all satellites as part of the configuration to enable the satellite to establish an SSL connection with the gateways. As a best practice, all of your gateways should use the same issuer.

  2. Select the method of Client Certificate distribution:

    • To store the client certificates on the portal —select Local and select the root CA certificate that the portal will use to issue client certificates to satellites upon successfully authenticating them from the Issuing Certificate drop-down.

STEP 7 | Save the portal configuration.

  1. Click OK to save the settings and close the GlobalProtect portal configuration dialog.

  2. Commit your changes.

Prepare the Satellite to Join the LSVPN

To participate in the LSVPN, the satellites require a minimal amount of configuration. Because the required configuration is minimal, you can pre-configure the satellites before shipping them to your branch offices for installation.

STEP 1 | Configure a Layer 3 Interface.

This is the physical interface that the satellite will use to connect to the portal and the gateway. This interface must be in a zone that allows access outside of the local trust network. As a best practice, create a dedicated zone for VPN connections for visibility and control over traffic destined for the corporate gateways.

STEP 2 | Configure the logical tunnel interface for the tunnel to use to establish VPN tunnels with the GlobalProtect gateways.

  1. Select Network > Interfaces > Tunnel and click Add .

  2. In the Interface Name field, specify a numeric suffix, such as .2 .

  3. On the Config tab, expand the Security Zone drop-down and select an existing zone or create a separate zone for VPN tunnel traffic by clicking New Zone and defining a Name for the new zone (for example lsvpnsat ).

  4. In the Virtual Router drop-down, select default .

  5. (Optional) To assign an IP address to the tunnel interface:

    • For an IPv4 address, select IPv4 and Add the IP address and network mask to assign to the interface, for example 203.0.11.100/24.

    • For an IPv6 address, select IPv6 , Enable IPv6 on the interface , and Add the IP address and network mask to assign to the interface, for example 2001:1890:12f2:11::10.1.8.160/80.

  6. To save the interface configuration, click OK .

STEP 3 | If you generated the portal server certificate using a root CA that isn’t trusted by the satellites (for example, if you used self-signed certificates), import the root CA certificate used to issue the portal server certificate.

This step is crucial for initial Satellite-to-Portal communication. The Satellite must trust the Portal's server certificate.

The root CA certificate is required to enable the satellite to establish the initial connection with the portal to obtain the LSVPN configuration.

  1. Download the CA certificate that was used to generate the portal server certificates. If you’re using self-signed certificates, export the root CA certificate from the portal as follows:

    1. Select Device > Certificate Management > Certificates , then Device Certificates .

    2. Select the CA certificate, and click Export .

    3. Select Base64 Encoded Certificate (PEM) from the File Format drop-down and click OK to download the certificate. (You don’t need to export the private key.)

  2. Import the root CA certificate that you exported onto each satellite as follows.

    1. Select Device > Certificate Management > Certificates , then Device Certificates . Select Import .

    2. Enter a Certificate Name that identifies the certificate as your client CA certificate.

    3. Browse to the Certificate File that you downloaded from the CA.

    4. Select Base64 Encoded Certificate (PEM) as the File Format and then click OK .

    5. Select the certificate that you imported on the Device Certificates tab to open it.

    6. Select Trusted Root CA and then click OK .

STEP 4 | Configure the IPSec tunnel configuration.

  1. Select Network > IPSec Tunnels and click Add .

  2. On the General tab, enter a descriptive Name for the IPSec configuration.

  3. Select the Tunnel Interface that you created for the satellite.

  4. Select GlobalProtect Satellite as the Type .

  5. Enter the IP address or FQDN of the portal as the Portal Address .

  6. Select the Layer 3 Interface you configured for the satellite.

  7. Select the IP Address to use on the selected interface. You can select an IPv4 address, an IPv6 address, or both. Specify if you want IPv6 preferred for portal registration .

STEP 5 | (Optional) Configure the satellite to publish local routes to the gateway.

Pushing routes to the gateway enables traffic to the subnets local to the satellite via the gateway. However, you must also configure the gateway to accept the routes as detailed in Configure GlobalProtect Gateways for LSVPN.

  1. To enable the satellite to push routes to the gateway, on the Advanced tab select Publish all static and connected routes to Gateway .

    If you select this check box, the firewall will forward all static and connected routes from the satellite to the gateway. However, to prevent the creation of routing loops, the firewall will apply some route filters, such as the following:

    • Default routes

    • Routes within a virtual router other than the virtual router associated with the tunnel interface

    • Routes using the tunnel interface

    • Routes using the physical interface associated with the tunnel interface

  2. (Optional) If you only want to push routes for specific subnets rather than all routes, click Add in the Subnet section and specify which subnet routes to publish.

STEP 6 | Save the satellite configuration.

  1. Click OK to save the IPSec tunnel settings.

  2. Click Commit .

STEP 7 | If required, provide the credentials to allow the satellite to authenticate to the portal.

To authenticate to the portal for the first time, the satellite administrator must provide the username and password associated with the satellite admin account in the local database.

  1. Select Network > IPSec Tunnels and click the Gateway Info link in the Status column of the tunnel configuration you created for the LSVPN.

  2. Click the enter credentials link in the Portal Status field and provide the username and password to authenticate the satellite to the portal.

After the portal successfully authenticates to the portal, it will receive its signed certificate and configuration, which it will use to connect to the gateway(s). You should see that the tunnel is established and the Status is changed to Active .

Verify the LSVPN Configuration

After configuring the portal, gateways, and satellites, verify that the satellites are able to connect to the portal and gateway and establish VPN tunnels with one or more gateways.

STEP 1 | Verify satellite connectivity with portal.

From the firewall hosting the portal, verify that the satellites are successfully connecting by selecting Network > GlobalProtect > Portal and clicking Satellite Info in the Info column of the portal configuration entry.

STEP 2 | Verify satellite connectivity with the gateway(s).

On each firewall hosting a gateway, verify that satellites are able to establish VPN tunnels by selecting Network > GlobalProtect > Gateways and click Satellite Info in the Info column of the gateway configuration entry. Satellites that have successfully established tunnels with the gateway will display on the Active Satellites tab.

STEP 3 | Verify LSVPN tunnel status on the satellite.

On each firewall hosting a satellite, verify the tunnel status by selecting Network > IPSec Tunnels and verify active Status as indicated by a green icon.

Key verification points for LSVPN:

  • Portal: Check Satellite Info (Network > GlobalProtect > Portal).
  • Gateway: Check Satellite Info for active tunnels (Network > GlobalProtect > Gateways).
  • Satellite: Check IPSec Tunnel status (Network > IPSec Tunnels).
  • Logs: System, GlobalProtect, and VPN logs are invaluable for troubleshooting.

LSVPN Quick Configs

The following sections provide step-by-step instructions for configuring some common GlobalProtect LSVPN deployments:

Basic LSVPN Configuration with Static Routing

This quick configuration shows the fastest way to get up and running with LSVPN. In this example, a single firewall at the corporate headquarters site is configured as both a portal and a gateway. Satellites can be quickly and easily deployed with minimal configuration for optimized scalability.

Basic LSVPN with Static Routing
Diagram of a basic LSVPN setup with combined Portal/Gateway and static routing.

The following workflow shows the steps for setting up this basic configuration:

STEP 1 | Configure a Layer 3 interface.

In this example, the Layer 3 interface on the portal/gateway requires the following configuration:

STEP 2 | On the firewall(s) hosting GlobalProtect gateway(s), configure the logical tunnel interface that will terminate VPN tunnels established by the GlobalProtect satellites.

In this example, the Tunnel interface on the portal/gateway requires the following configuration:

STEP 3 | Create the Security policy rule to enable traffic flow between the VPN zone where the tunnel terminates (lsvpn-tun) and the trust zone where the corporate applications reside (L3Trust).

STEP 4 | Assign an SSL/TLS Service profile to the portal/gateway. The profile must reference a selfsigned server certificate.

The certificate subject name must match the FQDN or IP address of the Layer 3 interface you create for the portal/gateway.

  1. On the firewall hosting the GlobalProtect portal, create the root CA certificate for signing the certificates of the GlobalProtect components. In this example, the root CA certificate, lsvpn-CA , will be used to issue the server certificate for the portal/gateway.

    In addition, the portal will use this root CA certificate to sign the CSRs from the satellites.

  2. Create SSL/TLS service profiles for the GlobalProtect portal and gateways.

    Because the portal and gateway are on the same interface in this example, they can share an SSL/TLS Service profile that uses the same server certificate. In this example, the profile is named lsvpnserver .

STEP 5 | Create a certificate profile.

In this example, the Certificate Profile lsvpn-profile references the root CA certificate lsvpn-CA . The gateway will use this Certificate Profile to authenticate satellites attempting to establish VPN tunnels.

STEP 6 | Configure the portal to authenticate satellites using local database authentication.

STEP 7 | Configure GlobalProtect Gateways for LSVPN.

Select Network > GlobalProtect > Gateways and Add a configuration. This example requires the following gateway configuration:

STEP 8 | Configure the Portal.

Select Network > GlobalProtect > Portal and Add a configuration. This example requires the following portal configuration:

STEP 9 | Define the Satellite Configurations.

On the Satellite tab in the portal configuration, Add a Satellite configuration and a Trusted root CA and specify the CA the portal will use to issue certificates for the satellites. In this example, the required settings are as following:

STEP 10 | Prepare the Satellite to Join the LSVPN.

The satellite configuration in this example requires the following settings:

Interface configuration

Root CA Certificate from Portal

IPSec Tunnel configuration

Advanced LSVPN Configuration with Dynamic Routing

In larger LSVPN deployments with multiple gateways and many satellites, investing a little more time in the initial configuration to set up dynamic routing will simplify the maintenance of gateway configurations because access routes will update dynamically. The following example configuration shows how to extend the basic LSVPN configuration to configure OSPF as the dynamic routing protocol.

Setting up an LSVPN to use OSPF for dynamic routing requires the following additional steps on the gateways and the satellites:

Although dynamic routing requires additional setup during the initial configuration of the LSVPN, it reduces the maintenance tasks associated with keeping routes up to date as topology changes occur on your network.

The following figure shows an LSVPN dynamic routing configuration. This example shows how to configure OSPF as the dynamic routing protocol for the VPN.

Advanced LSVPN with Dynamic Routing (OSPF)
LSVPN setup using OSPF for dynamic routing.

For a basic setup of a LSVPN, follow the steps in Basic LSVPN Configuration with Static Routing. You can then complete the steps in the following workflow to extend the configuration to use dynamic routing rather than static routing.

STEP 1 | Add an IP address to the tunnel interface configuration on each gateway and each satellite.

Complete the following steps on each gateway and each satellite:

  1. Select Network > Interfaces > Tunnel and select the tunnel configuration you created for the LSVPN to open the Tunnel Interface dialog.

    If you haven’t yet created the tunnel interface, see step 2 in Create Interfaces and Zones for the LSVPN.

  2. On the IPv4 tab, click Add and then enter an IP address and subnet mask. For example, to add an IP address for the gateway tunnel interface you would enter 2.2.2.100/24.

  3. Click OK to save the configuration.

STEP 2 | Configure the dynamic routing protocol on the gateway.

To configure OSPF on the gateway:

  1. Select Network > Virtual Routers and select the virtual router associated with your VPN interfaces.

  2. On the Areas tab, click Add to create the backbone area, or, if it’s already configured, click on the area ID to edit it.

  3. If you’re creating a new area, enter an Area ID on the Type tab.

  4. On the Interface tab, click Add and select the tunnel Interface you created for the LSVPN.

  5. Select p2mp as the Link Type .

  6. Click Add in the Neighbors section and enter the IP address of the tunnel interface of each satellite, for example 2.2.2.111.

  7. Click OK twice to save the virtual router configuration and then Commit the changes on the gateway.

  8. Repeat this step each time you add a new satellite to the LSVPN.

STEP 3 | Configure the dynamic routing protocol on the satellite.

To configure OSPF on the satellite:

  1. Select Network > Virtual Routers and select the virtual router associated with your VPN interfaces.

  2. On the Areas tab, click Add to create the backbone area, or, if it’s already configured, click on the area ID to edit it.

  3. If you’re creating a new area, enter an Area ID on the Type tab.

  4. On the Interface tab, click Add and select the tunnel Interface you created for the LSVPN.

  5. Select p2mp as the Link Type .

  6. Click Add in the Neighbors section and enter the IP address of the tunnel interface of each GlobalProtect gateway, for example 2.2.2.100.

  7. Click OK twice to save the virtual router configuration and then Commit the changes on the gateway.

  8. Repeat this step each time you add a new gateway.

STEP 4 | Verify that the gateways and satellites are able to form router adjacencies.

Advanced LSVPN Configuration with iBGP

This use case illustrates how GlobalProtect LSVPN securely connects distributed office locations with primary and disaster recovery data centers that house critical applications for users and how an internal border gateway protocol (iBGP) eases deployment and upkeep. Using this method, you can extend up to 500 satellite offices connecting to a single gateway.

BGP is a highly scalable, dynamic routing protocol that is ideal for hub-and-spoke deployments such as LSVPN. As a dynamic routing protocol, it eliminates much of the overhead associated with access routes (static routes) by making it relatively easy to deploy additional satellite firewalls. Due to its route filtering capabilities and features such as multiple tunable timers, route dampening, and route refresh, BGP scales to a higher number of routing prefixes with greater stability than other routing protocols like RIP and OSPF. In the case of iBGP, a peer group, which includes all the satellites and gateways in the LSVPN deployment, establishes adjacencies over the tunnel endpoints. The protocol then implicitly takes control of route advertisements, updates, and convergence.

In this example configuration, an active/passive HA pair of PA-5200 firewalls is deployed in the primary (active) data center and acts as the portal and primary gateway. The disaster recovery data center also has two PA-5200s in an active/passive HA pair acting as the backup LSVPN gateway. The portal and gateways serve 500 PA-220s deployed as LSVPN satellites in branch offices.

Both data center sites advertise routes but with different metrics. As a result, the satellites prefer and install the active data center’s routes. However, the backup routes also exist in the local routing information base (RIB). If the active data center fails, the routes advertised by that data center are removed and replaced with routes from the disaster recovery data center’s routes. The failover time depends on selection of iBGP times and routing convergence associated with iBGP.

Advanced LSVPN with iBGP and HA
LSVPN deployment with iBGP for dynamic routing and High Availability.

The following workflow shows the steps for configuring this deployment:

STEP 1 | Create Interfaces and Zones for the LSVPN.

Portal and primary gateway:

Satellite:

STEP 2 | On the firewall(s) hosting GlobalProtect gateway(s), configure the logical tunnel interface that will terminate VPN tunnels established by the GlobalProtect satellites.

Primary gateway :

STEP 3 | Enable SSL Between GlobalProtect LSVPN Components.

The gateway uses the self-signed root certificate authority (CA) to issue certificates for the satellites in a GlobalProtect LSVPN. Because one firewall houses the portal and primary gateway, a single certificate is used for authenticating to the satellites. The same CA is used to generate a certificate for the backup gateway. The CA generates certificates that pushed to the satellites from the portal and then used by the satellites to authenticate to the gateways.

You must also generate a certificate from the same CA for the backup gateway, allowing it to authenticate with the satellites.

  1. On the firewall hosting the GlobalProtect portal, create the root CA certificate for signing the certificates of the GlobalProtect components. In this example, the root CA certificate is called CA-cert.

  2. Create SSL/TLS service profiles for the GlobalProtect portal and gateways. Because the GlobalProtect portal and primary gateway are the same firewall interface, you can use the same server certificate for both components.

    • Root CA Certificate : CA-Cert

    • Certificate Name : LSVPN-Scale

  3. Deploy the self-signed server certificates to the gateways.

  4. Import the root CA certificate used to issue server certificates for the LSVPN components.

  5. Create a certificate profile.

  6. Repeat steps 2 through 5 on the backup gateway with the following settings:

    • Root CA Certificate : CA-cert

    • Certificate Name : LSVPN-back-GW-cert

STEP 4 | Configure GlobalProtect Gateways for LSVPN.

  1. Select Network > GlobalProtect > Gateways and click Add .

  2. On the General tab, name the primary gateway LSVPN-Scale .

  3. Under Network Settings , select ethernet1/21 as the primary gateway interface and enter 172.16.22.1/24 as the IP address.

  4. On the Authentication tab, select the LSVPN-Scale certificate created in 3.

  5. Select Satellite > Tunnel Settings and select Tunnel Configuration . Set the Tunnel

    Interface to tunnel.5. All satellites in this use case connect to a single gateway, so a

    single satellite configuration is needed. Satellites are matched based on their serial numbers, so no satellites will need to authenticate as a user.

  6. On Satellite > Network Settings , define the pool of IP address to assign to the tunnel interface on the satellite once the VPN connection is established. Because this use case uses dynamic routing, the Access Routes setting remains blank.

  7. Repeat steps 1 through 5 on the backup gateway with the following settings:

    • Name : LSVPN-backup

    • Gateway interface : ethernet1/5

    • Gateway IP : 172.16.22.25/24

    • Server cert : LSVPN-backup-GW-cert

    • Tunnel interface : tunnel.1

STEP 5 | Configure iBGP on the primary and backup gateways and add a redistribution profile to allow the satellites to inject local routes back to the gateways.

Each satellite office manages its own network and firewall, so the redistribution profile called ToAllSat is configured to redistribute local routes back to the GlobalProtect gateway.

  1. Select Network > Virtual Routers and Add a virtual router.

  2. On Router Settings , add the Name and Interface for the virtual router.

  3. On Redistribution Profile , select Add .

    1. Name the redistribution profile ToAllSat and set the Priority to 1.

    2. Set Redistribute to Redist .

    3. Add ethernet1/23 from the Interface drop-down.

    4. Click OK .

  4. Select BGP on the virtual router to configure BGP.

    1. On BGP > General , select Enable .

    2. Enter the gateway IP address as the Router ID ( 172.16.22.1 ) and 1000 as the AS Number .

    3. In the Options section, select Install Route .

    4. On BGP > Peer Group , click Add a peer group with all the satellites that will connect to the gateway.

    5. On BGP > Redist Rules , Add the ToAllSat redistribution profile you created previously.

  5. Click OK .

  6. Repeat steps 1 through 5 on the backup gateway using ethernet1/6 for the redistribution profile.

STEP 6 | Prepare the Satellite to Join the LSVPN.

The configuration shown is a sample of a single satellite.

Repeat this configuration each time you add a new satellite to the LSVPN deployment.

  1. Configure a tunnel interface as the tunnel endpoint for the VPN connection to the gateways.

  2. Set the IPSec tunnel type to GlobalProtect Satellite and enter the IP address of the GlobalProtect portal.

  3. Select Network > Virtual Routers and Add a virtual router.

  4. On Router Settings , add the Name and Interface for the virtual router.

  5. Select Virtual Router > Redistribution Profile and Add a profile with the following settings.

    1. Name the redistribution profile ToLSVPNGW and set the Priority to 1.

    2. Add an Interface ethernet1/2.1 .

    3. Click OK .

  6. Select BGP > General , Enable BGP and configure the protocol as follows:

    1. Enter the gateway IP address as the Router ID ( 172.16.22.1 ) and 1000 as the AS Number .

    2. In the Options section, select Install Route .

    3. On BGP > Peer Group , Add a peer group containing all the satellites that will connect to the gateway.

    4. On BGP > Redist Rules , Add the ToLSVPNGW redistribution profile you created previously.

  7. Click OK .

STEP 7 | Configure the GlobalProtect Portal for LSVPN.

Both data centers advertise their routes but with different routing priorities to ensure that the active data center is the preferred gateway.

  1. Select Network > GlobalProtect > Portals and click Add .

  2. On General , enter LSVPN-Portal as the portal name.

  3. On Network Settings , select ethernet1/21 as the Interface and select 172.16.22.1/24 as the IP Address .

  4. On the Authentication tab, select the previously created primary gateway SSL/TLS Profile LSVPN-Scale from the SSL/TLS Service Profile drop-down.

  5. On the Satellite tab, Add a satellite and Name it sat-config-1 .

  6. Set the Configuration Refresh Interval to 12 .

  7. On GlobalProtect Satellite > Devices , add the serial number and hostname of each satellite device in the LSVPN.

  8. On GlobalProtect Satellite > Gateways , add the name and IP address of each gateway. Set the routing priority of the primary gateway to 1 and the backup gateway to 10 to ensure that the active data center is the preferred gateway.

STEP 8 | Verify the LSVPN Configuration.

STEP 9 | (Optional) Add a new site to the LSVPN deployment.

  1. Select Network > GlobalProtect > Portals > GlobalProtect Portal > Satellite

    Configuration > GlobalProtect Satellite > Devices to add the serial number of the new satellite to the GlobalProtect portal.

  2. Configure the IPSec tunnel on the satellite with the GlobalProtect portal IP address.

  3. Select Network > Virtual Router > BGP > Peer Group to add the satellite to the BGP peer group configuration on each gateway.

  4. Select Network > Virtual Router > BGP > Peer Group to add the gateways to the BGP peer group configuration on the new satellite.

Key LSVPN Concepts for PCNSE

Understanding these LSVPN aspects is crucial for the PCNSE exam:

Focus on the distinct roles of Portal vs. Gateway, certificate management (especially the Root CA and what components need which certs), Satellite authentication mechanisms (initial vs. cookie), and routing options (static vs. dynamic implications).

LSVPN Operational Diagrams

LSVPN Component Interaction

Detailed LSVPN component interaction and authentication flow.

LSVPN Certificate Management Overview

Conceptual overview of certificate roles and trust in LSVPN.

Common LSVPN Gotchas for PCNSE

Troubleshooting LSVPN often involves checking certificates, authentication settings, routing tables, and security policies on all involved components (Portal, Gateway, Satellite). Pay close attention to logs (System, GlobalProtect, VPN).

LSVPN Knowledge Test

1. Which LSVPN component is primarily responsible for distributing configuration information to remote sites?

Correct Answer: B
The GlobalProtect Portal manages and distributes configurations (like Gateway lists, certificates) to the Satellites.

2. Is a GlobalProtect subscription required for LSVPN functionality?

Correct Answer: C
LSVPN for site-to-site VPN between Palo Alto Networks firewalls does not require a GlobalProtect subscription.

3. What is the primary mechanism used by LSVPN components for mutual authentication?

Correct Answer: A
LSVPN relies on SSL/TLS and IPSec with digital certificates for authentication between Portal, Gateways, and Satellites.

4. On a GlobalProtect Gateway, how many logical tunnel interfaces are typically required to support multiple LSVPN Satellites?

Correct Answer: D
A single logical tunnel interface on the Gateway can terminate connections from multiple Satellites in a point-to-multipoint fashion.

5. In PAN-OS 10.1 and later, what is the default initial authentication method for a Satellite connecting to the Portal for the first time?

Correct Answer: B
The default method is Username/Password for the initial connection, after which a Satellite Cookie is used for subsequent authentications.

6. When using self-signed certificates for LSVPN, where is it best practice to generate the Root CA certificate?

Correct Answer: A
It's best practice to create the self-signed Root CA on the Portal and use it to issue certificates, keeping the private key secure on the Portal.

7. What must be configured on a Satellite firewall to allow it to trust the Portal's server certificate for the initial connection?

Correct Answer: C
The Satellite must trust the issuer (Root CA) of the Portal's server certificate. This Root CA certificate must be imported onto the Satellite and marked as a Trusted Root CA.

8. If dynamic routing (e.g., OSPF or BGP) is used in an LSVPN setup, what is generally required for tunnel interfaces?

Correct Answer: B
Dynamic routing protocols require IP addresses on the participating interfaces, including tunnel interfaces, to establish neighbor relationships and exchange routing information.

9. What information does the Portal typically push to a Satellite as part of its configuration?

Correct Answer: D
The Portal provides a comprehensive configuration including Gateway details, necessary certificates for authentication, IP addressing information for the tunnel, and routes.

10. What is the purpose of configuring an "Access Route" on the GlobalProtect Gateway's LSVPN settings?

Correct Answer: A
Access Routes on the Gateway dictate which networks the Satellite will send through the VPN tunnel (split-tunneling) or if all traffic goes through (if left blank).

11. When a Satellite uses the "Username/Password and Satellite Cookie" authentication method, what happens when the cookie expires?

Correct Answer: C
Upon cookie expiration, the Satellite must be manually re-authenticated to the Portal using the configured username and password to obtain a new cookie.

12. In an LSVPN Portal configuration, if you have multiple Satellite Configurations, how does the Portal decide which configuration to apply to a connecting Satellite?

Correct Answer: B
The Portal evaluates Satellite Configurations from top to bottom. The first configuration that matches the Satellite (by serial number or enrollment user/group) is applied.

13. What is the role of an SSL/TLS Service Profile in LSVPN?

Correct Answer: D
An SSL/TLS Service Profile is attached to the Portal and Gateway configurations to specify the server certificate they present and the allowed TLS protocol versions for secure communication with Satellites.

14. If a GlobalProtect Gateway is configured with Tunnel Monitoring for LSVPN, what is the supported action if the tunnel monitor fails?

Correct Answer: A
For LSVPN, tunnel monitoring primarily supports failover to another configured gateway if the connection to the primary gateway is lost.

15. What is the significance of the "Common Name (CN)" or "Subject Alternative Name (SAN)" in a Gateway's server certificate for LSVPN?

Correct Answer: C
The CN/SAN of the Gateway's server certificate must match the address (FQDN or IP) that Satellites use to connect to that Gateway. This address is provided to Satellites by the Portal.

16. What is a key benefit of using dynamic routing (like OSPF or BGP) in LSVPN over static routing?

Correct Answer: B
Dynamic routing protocols automatically update routing tables when network changes occur, reducing manual configuration of access routes, which is beneficial in large or evolving networks.

17. Which command on a Satellite can be used to view the generation time of its authentication cookie?

Correct Answer: D
The `show global-protect-satellite satellite` CLI command on the Satellite firewall will display information including the "Satellite Cookie Generation Time".

18. If a firewall is configured as both an LSVPN Portal and Gateway, can it use the same Layer 3 interface for both functions?

Correct Answer: A
If the Portal and Gateway are on the same firewall, they can indeed use the same Layer 3 interface for external connectivity.

19. What is the purpose of configuring "Publish all static and connected routes to Gateway" on an LSVPN Satellite's IPSec tunnel configuration?

Correct Answer: C
This option allows the Satellite to send its local (static and connected) routes to the Gateway, enabling hosts behind the Gateway to reach networks behind the Satellite. The Gateway must also be configured to accept these routes.

20. In PAN-OS 11.1.3+, when using "Serial number and IP address Authentication" for LSVPN Satellites, where is the satellite's IP address allow list configured?

Correct Answer: B
For the "Serial number and IP address Authentication" method, the satellite IP allow list is configured on the GlobalProtect Portal using CLI commands like `set global-protect global-protect-portal portal satellite-serialnumberip-auth satelliteip-allowlist entry `.