Unable to register Palo Alto Networks Firewall to LSVPN after upgrade the LSVPN portal to 10.1.x

Unable to register Palo Alto Networks Firewall to LSVPN after upgrade the LSVPN portal to 10.1.x

12737
Created On 01/12/22 20:31 PM - Last Modified 04/23/24 03:33 AM


Symptom


fter Palo Alto Networks Firewall is upgraded to 10.1.x and Satellites firewalls cannot connect to LSVPN Portal and Gateway.

The following log might be seen on the GlobalProtect logs from the GP LSVPN Portal: 
image.png

On the Satellite Firewall: 
image.png
 

Environment


PAN-OS 10.1.x

Cause


Prior to PAN-OS 10.1, the GP LSVPN Portal would register and authenticate the GP LSVPN Satellite either based on the Serial Number or Authentication Profile (username/password credentials)

To enhance the security of GP LSVPN Satellite registration and authentication, PAN-OS 10.1 added the Satellite Cookie Validation mechanism that uses both the Serial Number and Authentication Profile (username/password credentials) to register and authenticate the GP LSVPN Satellite.

The LSVPN Satellite Authentication behavior change is documented in the Changes to Default Behavior in PAN-OS 10.1

After the enhancement, there are the following two possibilities where the GP LSVPN Satellite would not authenticate with the GP LSVPN Portal:

Scenario#1: GP LSVPN Satellite is running Pre-10.1 PAN-OS but GP LSVPN Portal is running PAN-OS 10.1
Scenario#2: Both the GP LSVPN Satellite and GP LSVPN Portal are recently upgraded to PAN-OS 10.1 and Satellite started failing the authentication

 

Resolution


Scenario#1 Resolution: This is a compatibility issue and if the PAN-OS 10.1 upgrade on GP Portal is needed, Satellite must also be upgraded (follow the PAN-OS upgrade general guidelines)

Scenario#2 Resolution: If both the GP LSVPN Satellite and GP LSVPN Portal are running PAN-OS 10.1 and Satellite failing the authentication, please enter the username and password on the IPSec tunnel configured for LSVPN (GP Portal should already have an authentication profile):

  1. Log in to the Satellite's Web GUI and go to Network > IPSec Tunnels and click the Gateway Info link in the Status column of the tunnel configuration you created for the LSVPN
  2. Click the enter credentials link in the Portal Status field and the username and password required to authenticate the satellite to the portal
Automation: In case of multiple firewalls, sending the user credentials can be automated through a script using XML APIs:

1. Get the XML API Key for the satellite firewall
2. Use the XML-API-KEY to submit the USERNAME and PASSWORD for the SATELLITE-NAME to the GP Portal using XML API: 
 

https://SATELLITE-FIREWALL-ADDRESS/api/?type=op&cmd=<request><global-protect-satellite><get-portal-config><username>USERNAME</username><password>PASSWORD</password><satellite>SATELLITE-NAME</satellite></get-portal-config></global-protect-satellite></request>&key=XML-API-KEY

NOTE: This is basically running the CLI command request global-protect-satellite get-portal-config username <value> password <value> satellite <value> via XML API

NOTE: Details of the script are not given here, we only provided the XML API that the firewall admin can utilize for multiple firewalls in a preferred scripting language 

Additional Information


How To Configure GlobalProtect Satellite
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000004Mp0CAE&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail