Palo Alto Networks Knowledgebase: Controlling LSVPN Satellite Connections with OCSP

Controlling LSVPN Satellite Connections with OCSP

2960
Created On 08/01/19 03:44 AM - Last Updated 08/01/19 03:46 AM
VPNs 8.1 8.0 7.1 9.0 GlobalProtect
Resolution

Overview

The LSVPN implementation allows administrators to quickly connect VPN sites to the main site. The implementation relies on the usage of certificates to authenticate the satellites to the portal, which allows the administrators control who will be allowed access to the VPN network, and who can be denied if emergency action is needed.

 

Details

To accomplish full control, there needs to be a Certificate Authority(CA) on the Palo Alto Networks firewall, and OCSP responder for the certificates that we will generate with that CA. The process is very similar to controlling GlobalProtect Remote access VPN connections and similar principles are valid and similar steps should be followed.

Note: For more information reference the following link: Controlling GlobalProtect VPN Access with OCSP

  1. Create a CA at the firewall
  2. Create a local OCSP responder
  3. Create a Certificate Profile that will be used to check the status of the certifications with the given OCSP
  4. Create a certificate signed by the CA and include the OCSP responder to be checked for the revocation status of these certificates
  5. Verify if the certificates are generated with the correct information when a satellite connects to GlobalProtect (this should include the correct Issuer)
  6. Verify that the satellites can connect to the VPN network
  7. If needed, revoke the satellite certificate from the gateway and remove this satellite information from portal so that the satellite device will not reconnect to the VPN network.

 

Steps

After the CA and the OSCP responder are in place on the firewall, create a Certificate Profile.

Note: Reference the following link for more information on: How to Configure an OCSP Responder

  1. To create a Certificate Profile for the LSVPN satellites, which will be verifying the revocation status with the created OCSP, go to Device > Certificate Management > Certificate Profile.Screen Shot 2014-06-16 at 12.34.04 AM.png
  2. GUI:  Device > Certificate Management > Certificates and click Generate to create the certificate that will be used to sign the satellite certificates.
    While creating the certificate, be sure to use the OCSP responder previously created. If this is an intermediate certificate, make sure to select the root CA that is trusted on the satellite. If the root is not trusted on the satellite, or this is a root certificate that is being creating now, be sure to export the certificate from this firewall and import it on the satellite firewall.
    Screen Shot 2014-06-28 at 1.49.21 PM.png
  3. At this time, the configuration of the LSVPN needs to be completed. Please reference the Large Scale VPN (LSPV) Deployment Guide to complete the configuration.
    While configuring the setup, make sure to use the appropriate certificates and certificate profiles previously created.
    Include the trusted root CA and the OCSP responder in the Satellite Configuration under the GlobalProtect Portal, so the certificates are checked for the revocation status.
    Use the Server Certificate and the Certificate Profile for the GlobalProtect Gateway, as shown below:
    Screen Shot 2014-06-16 at 12.37.02 AM.png
  4. After the full LSVPN configuration is complete, verify if connections are establishing from the satellites to GlobalProtect.
    Check the connection under the Network  > GlobalProtect > Portals > Under Info > click on Satellite Information:
Screen Shot 2014-06-16 at 12.38.48 AM.png
  1. GUI  Network > GlobalProtect > Gateways > Under Info > click on Satellite Information to access details about the connection to the needed gateway:
    Screen Shot 2014-06-16 at 12.39.16 AM.png
    The certificate that is used for this process is actually created for the satellite, from the CA that has been specified in the previous steps. By default, the validity of these certificates is 7 days.

    As shown below, see the issued certificate under Device > Certificate Management > Certificates:
Screen Shot 2014-06-16 at 12.32.33 AM.png
  1. Revoke this certificate by opening the certificate..
Screen Shot 2014-06-16 at 12.40.26 AM.png
Once the Revoke button is clicked, the certificate is no longer valid and should not be accepted by the portal to establish connections to the VPN network:
 
Screen Shot 2014-06-16 at 12.40.39 AM.png
The status immediately changes to revoked:
 
Screen Shot 2014-06-16 at 12.40.53 AM.png
 
From this point on, the connections from that satellite will be dropped, because of authentication with an invalid certificate. This can be viewed in the system logs, as shown below:

Screen Shot 2014-06-16 at 1.03.35 AM.png
 

sslmgr.log displays the certificate revocation.

> less mp-log sslmgr.log

Jun 16 00:51:58 pan_store_portal_cfg_assigned(pan_store_satellite_info.c:1854): find assigned serialno 0006C107270
Jun 16 00:51:58 pan_store_satellite_info_response_print(pan_store_satellite_info.c:106): {satellite info success; vsys id(1); vsys name(vsys1); portal name(GP-Portal);serialno(0006C107270); hostname(IDEA-PA-01); config(LSVPN_Satelites); pin(static); derived from(); last seen ip(10.193.16.27); }
Jun 16 00:51:58 pan_store_certificate_info_find_expired_cert(pan_store_certificate_info.c:964): certificate(539DAE57002715) is revoked, don't cleanup
Jun 16 00:51:58 pan_store_certificate_info_find_expired_cert(pan_store_certificate_info.c:973): certificate expiration date(Jun 22 22:51:01 2014 GMT)
Jun 16 00:51:58 pan_store_certificate_info_find_expired_cert(pan_store_certificate_info.c:979): current date (Jun 15 22:51:58 2014 GMT)
Jun 16 00:51:58 pan_store_certificate_info_find_expired_cert(pan_store_certificate_info.c:981): expdate(140622225101Z) curdate(140615225158Z)
Jun 16 00:51:58 pan_store_certificate_info_find_expired_cert(pan_store_certificate_info.c:984): exp date(3183271629) curwarmingdate(3176271686)
Jun 16 00:51:58 pan_store_is_cert_expired(pan_store_certificate_info.c:70): certificate expiration date(Jun 22 22:51:01 2014 GMT)(140622225101Z)
Jun 16 00:51:58 pan_store_is_cert_expired(pan_store_certificate_info.c:77): current date plus warming days (Jun 18 22:51:58 2014 GMT)(140618225158Z)
Jun 16 00:51:58 sslmgr_sysd_store_cert_gen(sslmgr_sysd.c:469): certificate is still valid
Jun 16 00:51:58 pan_store_satellite_info_request_print(pan_store_satellite_info.c:75): {satellite info find; vsys id(1); vsys name(vsys1); portal name(GP-Portal); seria lno(0006C107270); hostname(); config(); pin(); derived from(); last seen ip(); }
Jun 16 00:51:58 pan_store_portal_cfg_assigned(pan_store_satellite_info.c:1854): find assigned serialno 0006C107270
Jun 16 00:51:58 pan_store_satellite_info_response_print(pan_store_satellite_info.c:106): {satellite info success; vsys id(1); vsys name(vsys1); portal name(GP-Portal);serialno(0006C107270); hostname(IDEA-PA-01); config(LSVPN_Satelites); pin(static); derived from(); last seen ip(10.193.16.27); }
Jun 16 00:52:14 [OCSP] URL (null)       serialno: 539E235500032C
Jun 16 00:52:14 Send cookie:4 session:0 status:2 to DP

After revocation, a connection can not be established any more:

> show global-protect-gateway current-satellite

GlobalProtect Gateway: GP-GW-1 (0 satellites)
Tunnel Name          : GP-GW-1-S

GlobalProtect Gateway: GP-GW-1-Backup (0 satellites)
Tunnel Name          : GP-GW-1-Backup-S

> show global-protect-gateway previous-satellite

GlobalProtect Gateway: GP-GW-1 (0 satellites)
Tunnel Name          : GP-GW-1-S

GlobalProtect Gateway: GP-GW-1-Backup (0 satellites)
Tunnel Name          : GP-GW-1-Backup-S
        Satellite                 : 0006C107270
        Satellite Hostname        : IDEA-PA-01
        Private IP                : 10.200.2.1
        Public IP                 : 10.193.16.27

        Satellite Tunnel IPs      :
        Login Time                : Jun.15 23:51:33
        Logout Time               : Jun.16 00:51:34
        Reason                    : Tunnel Lifetime expired
        Satellite Published Routes: 172.18.1.0/24
        Satellite Denied Routes   :
        Satellite Duplicate Routes:
        Tunnel Monitor Enabled    : Yes
        Tunnel Monitor Interval   : 3 seconds
        Tunnel Monitor Action     : fail-over
        Tunnel Monitor Threshold  : 5 attempts
        Tunnel Monitor Source     : 10.193.21.98
        Tunnel Monitor Destination: 10.200.2.1
        Tunnel Monitor Status     : No data available
  1. The satellite must be permanently removed from the GlobalProtect Portal Satellite configuration. This means the portal does not have to try to validate the certificate.

To delete, GUI: Network > GlobalProtect > Portals > Satellite Configuration, select the satellite, and delete it from the list:

Screen Shot 2014-06-28 at 2.54.42 PM.png

 

 



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClosCAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language