Can LSVPN satellites still connect to gateways with the deprecated "serial number auth" method after upgrade to 10.1+?

• Upgrade from 10.0 or earlier PANOS to 10.1 or later
• Using LSVPN

Yes, it will continue to connect to the gateways for the remaining validity period of the certificate the satellite had last obtained from its previous successful registration with the portal.

Over time; different PAN-OS have introduced and deprecated different auth methods for the portal to authenticate satellites. This is described @ https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-admin/large-scale-vpn-lsvpn/configure-the-portal-to-authenticate-satellites but summarized as:

• PAN-OS 10.0 and earlier releases - Serial number Authentication - Deprecated, no longer available in 10.1+
• PAN-OS 10.1 and later releases - Username/password and Satellite Cookie Authentication - Default option on 10.1+
• PAN-OS 11.1.3 and later releases - Serial number and IP address Authentication 

For example, let's say you're running PAN-OS 9.1 using SN auth; and wish to upgrade to 11.1.latest to use Serial Number and IP address auth. While performing the upgrades; you noticed that satellites are still connecting to gateways even though the new "Serial Number and IP address auth" settings have not yet been configured, the old "serial number auth" has been deprecated, and the global-protect logs on the portal even indicate auth failures for the satellite due to the changed auth method.

The reason is that the auth methods described above are specific for SATELLITE > PORTAL registration only.

The SATELLITE > GW connection is authenticated using certificates; which are initially requested/issued during the SATELLITE > PORTAL registration process.

The default lifetime for this certificate is 7 days; which means that independently of any portal authentication; the satellite may continue to connect to the gateway for the duration of that certificates validity period.