GlobalProtect Satellite simplifies the deployment of traditional hub and spoke VPNs, enabling you to quickly deploy enterprise networks with several branch offices with a minimum amount of configuration required on the remote satellite devices. This solution uses certificates for device authentication and IPSec to secure data.
The setup includes configuring the portal, gateway, and satellite as under:
Note: This config uses the same interface for both portal and gateway and is tested on Devices running 7.0.X. Remember the configuration differences between earlier versions.
Generate a Root CA Certificate on the Portal (Self signed) and a Server Certificate used for Portal and Gateway certificate signed by the above Root CA.
Note: Make sure the Server Certificate's CN (Common Name) in the GlobalProtect Gateway configuration matches the IP address or FQDN of the IP address configuration in the GlobalProtect Gateway Configuration. (to be configured later) Otherwise, the error "certificate common name does not match the configured hostname on the satellite" is generated.
Export the Root CA (CACert) in PEM format, without the private key, and import it to the satellite device (Device > Certificate Management > Certificates > Import). This certificate on the Satellite is used to validate the Portal/ Gateway Certifcate against the CACert.
GlobalProtect Portal Configuration:
Configure a portal (Network -> GlobalProtect -> Portals -> Add) and add the interface that will act as Portal/Gateway.
Note: This is found under Network > GlobalProtect > Portals > "Select your Portal"
Note: Notice that the Authentication Profile is just added to avoid commit errors. It is not used if using serial number is being used to enroll the satellite. This profile will serve for Username/Password based authentications for satellites which are not enrolled using Serial Number. In the above case, an authentication profile has been created which is using local users for username/password based authentication.
Configure the satellite by adding the gateways and priorities. By adding the serial number of the satellite, the portal bypasses the authentication profile configured above and instead uses the serial number to validate the satellite.
Note: Notice that the serial number is not added in the above Satellite configuration. You can add the Satellite Device's serial number if Serial Number based enrollment is required. Also notice the Truster Root CA cert and Issuing Certificate which has been added in the configuration. The Issuing Certificate will be used by the Portal to sign the Certificate Signing Request generated by the Satellite on connection.
Configure the Portal as an OCSP Responder (Device > Certificate Management > OCSP Responder) to provide certificate revocation for GlobalProtect satellites. Also allow the OCSP service under the management profile binded to the Portal Interface. The OSCP responder setting is not rerequired if External CA is being used.
Configure the gateway (Network > GlobalProtect > Gateways > Add), with the proper interface and the certificate profile, which will be used to authenticate the satellite to the gateway.
Note: It is mandatory to have a certificate profile or the commit fails. Authentication Profile is not mandatory.
Bind a tunnel interface to this Satellite and configure the Network Settings for the IP Pool and the Access Routes. Note: The IP pool will be used to assign an IP to the tunnel interface on the Satellite. Access Route will be installed in the Routing Table of the Satellite for the traffic from network behind Satellite to be routed properly over the tunnel to the Gateway.
The gateway can accept all/selective routes advertised by the satellite by checking the "Accept published Routes" check box under Satellite Configuration > Route Filter.
Commit the config for Portal and Gateway.
Create a new IPSec tunnel config and select the type as GlobalProtect Satellite. Add the tunnel interface, portal config, and the interface that can reach the portal address.
To have the satellite advertise the routes to the gateway, check "Publish all static and connected routes to Gateway" to advertise all the static and connected routes or only selected routes by adding the subnets. In the below snapshot the Satellite is configured to advertise the network 18.104.22.168/24 only to the Gateway.
Remember to commit the changes on the satellite.
Testing the Connectivity
On the satellite, click Gateway Info, which will provide an option to enter credentials to authenticate to the portal, if the serial number was not used to enroll the Satellite. The bwloe snapshot highlight the status, the assigned IP to the tunnel interface and the access route.