Large Scale VPN (LSVPN) Configuration Guide - Live
advertisement
Large Scale VPN (LSVPN) Configuration Guide Tech Note PAN-OS 5.0 Revision B ©2013, Palo Alto Networks, Inc. www.paloaltonetworks.com Contents Overview ................................................................................................................................................................................. 4 Large Scale VPN Components ................................................................................................................................................. 4 Satellite Firewall Enrollment Methods ..................................................................................................................................... 4 Using serial number for enrollment ...................................................................................................................................... 4 Username/Password Based Enrollment ................................................................................................................................. 4 Initial Connection Process ........................................................................................................................................................ 5 Certificate Renewal .............................................................................................................................................................. 5 Certificate Requirements .......................................................................................................................................................... 6 Generating CA Certificate .................................................................................................................................................... 6 Generating a Server Certificate ............................................................................................................................................. 6 Creating a Certificate Profile ................................................................................................................................................ 7 OCSP responder ................................................................................................................................................................... 7 Configuration Example1: Hub and Spoke configuration ......................................................................................................... 8 Portal Configuration ................................................................................................................................................................ 8 Satellite Configuration ......................................................................................................................................................... 9 Gateway Configuration ......................................................................................................................................................... 11 Satellite Configuration ....................................................................................................................................................... 11 Tunnel settings ............................................................................................................................................................... 11 Network Settings ............................................................................................................................................................ 12 Route filter ..................................................................................................................................................................... 13 Satellite Configuration ........................................................................................................................................................... 13 Verification ............................................................................................................................................................................ 15 Portal/Gateway................................................................................................................................................................... 15 Satellite............................................................................................................................................................................... 16 High Availability on Gateway................................................................................................................................................ 16 Configuration example 2: Hub and Spoke VPN with a Backup Hub .................................................................................... 17 Certificate requirements ......................................................................................................................................................... 18 Step1: Export CA Certificate with Private Key ................................................................................................................... 18 Step2: Importing the CA Certificate with Key .................................................................................................................... 18 Step3: Generating the Server Certificate ............................................................................................................................. 19 Step4: Create a Certificate Profile....................................................................................................................................... 19 Portal Configuration .............................................................................................................................................................. 20 Backup Gateway Configuration............................................................................................................................................. 20 Tunnel Monitoring ................................................................................................................................................................ 21 Creating Monitor Profile .................................................................................................................................................... 21 Enabling Tunnel Monitor on the Gateway ......................................................................................................................... 21 Verification ............................................................................................................................................................................ 22 Satellite............................................................................................................................................................................... 22 Useful commands .................................................................................................................................................................. 26 Gateway/Portal................................................................................................................................................................... 26 Satellite............................................................................................................................................................................... 26 Troubleshooting .................................................................................................................................................................... 26 ©2013, Palo Alto Networks, Inc. [2] Satellite Unable to Connect to the Portal ............................................................................................................................ 26 Summary ................................................................................................................................................................................ 27 Revision History .................................................................................................................................................................... 28 ©2013, Palo Alto Networks, Inc. [3] Overview The Larger Scale VPN feature simplifies the deployment of traditional hub and spoke VPNs. This solution provides administrators with the ability to quickly deploy enterprise networks with several branch offices or telecommuters to securely access resources at a central site, with a minimum amount of configuration required on the remote devices. It uses certificates for device authentication, and IPSec to secure data. Large Scale VPN Components • • • • GlobalProtect Portal: PAN-OS firewall that holds the entire configuration required for the satellites (spokes) to connect to the gateway (hub). Portal is always required in a large scale VPN. GlobalProtect Gateway: PAN-OS firewall that is the tunnel end point for satellite connections. The resources that the satellites access is protected by the gateway. It is not required to have a separate portal and gateway. A single PAN-OS firewall can function both as portal and gateway. GlobalProtect Satellites: Remote site firewalls that connect to a gateway(s) in order to access centralized resources. Certificate Authority Server: The portal, gateway, and satellites authenticate to each other using certificates. The PAN-OS firewall itself can be configured as the CA server to sign certificates. Satellite Firewall Enrollment Methods The GlobalProtect portal authenticates the satellites using either the serial number or a username/password. After the satellite successfully authenticates to the portal, it will obtain the configuration from the portal and attempts to establish an IPSec tunnel to the gateways. Using serial number for enrollment When using a serial number for authentication, you must add the serial number of the Palo Alto Networks firewall (satellite devices) to the portal configuration (the host name is optional). When the satellite connects to the portal, the portal retrieves the serial number of the portal from the satellite certificate and matches the serial number against the list of the satellite devices allowed to connect to the portal. Username/Password Based Enrollment The username/password method of authentication is used when the serial number of the device is unknown. In this case, a user account on the portal is used to validate the satellite when it first connects to the portal. The administrator of the satellite must enter the credentials when the satellite connects to the portal. This is done on the satellite by navigating to Network > IPSec Tunnels and choosing “gateway info” and then clicking on “Enter Credentials”. ©2013, Palo Alto Networks, Inc. [4] The username/password authentication is only required the first time the satellite connects to the portal. Once authenticated, the username/password is not required for subsequent connections. After the initial registration is completed, GlobalProtect satellites will create an RSA keypair and a PKCS10 formatted certificate signing request locally. The satellite authenticates to the portal and submits the request, which is signed with the configured issuing certificate. The GlobalProtect portal then responds with a PEM formatted certificate, which will be expired after the configured validity period. Initial Connection Process In this example, it is assumed that the portal is configured as the CA server, all the required certificates are configured, and the portal and gateway configured to accept connections from satellite devices. 1. Satellite generates a CSR and sends it to the portal over an SSL connection. 2. Satellite authenticates the portal's certificate before establishing a connection to the portal. In order to authenticate the portal’s certificate, the satellite must have the CA certificate that was used to sign the portal certificate. 3. Satellite then authenticates to the portal using its serial number. 4. The portal verifies the serial number with its locally configured list of satellite devices. If the serial number does not exist in the portal configuration, the portal returns a 401 error message prompting the satellite administrator to authenticate using a username/password. 5. Portal verifies the credentials provided using the authentication profile configured in the portal configuration. 6. After the satellite is authenticated, portal creates a certificate for the satellite from the CSR received. The portal then sends the satellite, its certificate and configuration which include the list of gateways. 7. Satellite contacts all available gateways using its certificate for authentication. Satellite and gateway verify the validity of certificates. 8. Satellite then submits a list of routes to the gateway. Gateway accepts the routes if they are not denied by the route filter configured on the gateway. 9. Gateway provides the satellite with a list of routes. 10. IPSec tunnel is established between the gateway and satellites. The keys for IPSec tunnel is exchanged using a SSL connection. Certificate Renewal 1. The portal checks the list of expiring certificates every 24 hours and renews client certificates that will expire within (certificate lifetime / 5) days of the current date. 2. Satellite authenticates to the portal to retrieve the latest configuration and certificate. 3. Satellite installs new configuration and new certificate. 4. Satellite re-keys all gateway connections using the new certificate. ©2013, Palo Alto Networks, Inc. [5] Certificate Requirements Large Scale VPN uses certificates to authenticate the portal, gateway, and satellites, so all certificates must be signed by the same Certificate Authority (CA). The following certificates are required: • CA Certificate-Since the GlobalProtect portal issues authentication certificates for all registered satellites, a CA certificate - root or intermediate must be present or created on the device. An intermediate certificate authority can be created by generating and exporting a certificate signing request from the device and importing the issued certificate as a PEM formatted certificate file. • Server Certificate-All communication between GlobalProtect satellites, the portal and the gateways are secured via TLS. Therefore, both the GlobalProtect portal and the gateways require SSL certificates. When connecting to the portal, the satellite verifies the presented server certificate against it’s built in trusted certificate authority list. After the initial connection, the satellite continues to verify the server certificate of the portal against the list of trusted Root Certificates from the satellite configuration. Since the connection to the gateways occurs after the portal connection, the presented server certificate of the gateways is verified against the Root Certificate list in the satellite configuration only. Because of the verification processes described above and because of simplification, it is recommended to create the portal certificate and all gateway certificates through the same certificate authority. • OCSP Responder-In order for the portal to provide certificate revocation for GlobalProtect satellites, it is recommended that you configure a publicly available OCSP responder on the device running the portal. Besides configuring an OCSP responder, access to the OCSP service needs to be allowed via the interface management profile settings. If an external certificate authority is used, no OCSP responder configuration is required since revocation is handled externally. Generating CA Certificate Navigate to Device > Certificate Management > Certificates and click Generate. Configure the certificate as a CA server certificate and check the box “certificate authority”. This certificate must be used to sign the certificates used by the GlobalProtect gateway and the satellites. Generating a Server Certificate This certificate is used by the GlobalProtect gateway to authenticate the satellites. Use the Certificate Authority certificate generated earlier to sign this certificate. This is done by selecting the CA certificate generated earlier from the “signed by” drop down menu as shown below. Note: Use the IP address of the interface or FDQN that maps to the IP in the common name field to avoid certificate errors. ©2013, Palo Alto Networks, Inc. [6] Creating a Certificate Profile The satellite certificate profile is used to verify the certificates of every involved party. This specifies the CA server certificate that was used to sign the gateway and the satellite certificate. To create a profile, navigate to Device > Certificate profile; add the CA certificate generated earlier. This is the same certificate used to sign the server and satellite certificate OCSP responder Note: If you are using the portal/gateway as the OCSP responder, you must enable “HTTP OCSP” service on the egress interface of the portal/gateway. This done by creating an interface management profile with HTTP OCSP and applying it to the egress interface of the firewall. ©2013, Palo Alto Networks, Inc. [7] Configuration Example1: Hub and Spoke configuration In this example we will use the portal/gateway firewall as the CA server and the OCSP responder. Satellites are authenticated using serial numbers. The gateway/portal is configured with the following: • IP pool : 10.11.12.11-10.11.12.25 • DNS suffix: acme.local • DNS servers: 10.0.0.246 and 10.0.0.247 • Access route: 192.168.0.0/16 and 172.16.0.0/16 The interface and zone bindings are set as follows: Interface Comment Zone Virtual Router Ethernet 1/10 Outside interface. This is IP address of the portal and Gateway Inside interface. Connects to protected resource Logical interface for terminating VPN tunnel L3-outside default L3-inside default L3-VPN default Ethernet 1/1 Tunnel.1 Portal Configuration To configure the portal navigate to Network > GlobalProtect > Portal. ©2013, Palo Alto Networks, Inc. [8] Note: Certificate profile is not required for portal configuration. Interface: External facing interface of the portal, where the satellite devices establish first connection. IP Address: Egress interface IP address. This is the IP address where the satellites will establish the first connection to authenticate and download the configuration. Server Certificate: Select the server certificate used for authenticating the satellites. Note: • Even though we are authenticating satellites using serial numbers, the authentication profile used here is only to avoid commit errors. • Authentication profile will be used only if you are authenticating satellites using username/password. Satellite Configuration Note: In this configuration we will be using the serial number of the satellite devices for authentication of satellites. Click on “Add” to create a new configuration for satellites. General: Specify a name for the configuration and time interval for the satellites connect to the portal to refresh the configuration. By default satellites refresh the configuration from the portal every 24 hrs. ©2013, Palo Alto Networks, Inc. [9] Devices: List the serial number(s) of the satellite devices that are authorized to connect to the portal to retrieve the configuration (the host name is optional). Once a satellite device successfully connects to the portal, the hostname will be automatically retrieved from the satellite and updated in this section. In the example below, the serial numbers of the two satellites (spoke devices) are added. Note that the hostname shows as unknown. Once the satellites authenticate and establish a connection with the portal, the satellite hostname will be automatically updated with the hostnames of the satellites. Gateways: List the available gateways the satellite can connect to. If there are multiple gateways, specify the name and IP address or FQDN of each of the gateways. In this configuration the firewall is configured as both the portal and gateway with the IP address 10.2.133.240. Routing Priority: When there are more than one gateways site that offers VPN connectivity to the same network, routing priority is used to select the preferred gateway. Routing priority is a numeric value between 1 and 25. A lower value indicates the most preferred gateway. Routes published by gateway are installed on the satellite as a static route. The metric for this static route is derived from the routing priority. The metric of the static route is 10x routing priority. See the section Hub and Spoke VPN with Redundant HUB Site for more information on this topic. In this example we have only one central gateway. The configuration on the portal follows: Certificates: In the satellite configuration section, add the “Trusted Root CA” and “Issuing Certificate” from the drop down list. ©2013, Palo Alto Networks, Inc. [10] If you are using certificates signed by a public CA like VeriSign, you can leave the “Trusted Root CA” field empty if the CA certificate is listed in the “Default Trusted Certificate Authorities”. In this example, we are using self-signed certificates with the firewall as the CA server. In the OCSP responder section, select from the drop-down to show the OCSP responder created earlier. The configuration for this example follows: Gateway Configuration To configure the gateway navigate to Network > GlobalProtect > Gateway. • • • • Interface-External facing interface of the portal, where the satellite devices establish the first connection. In this example the egress interface is ethernet1/10. IP address-Egress interface IP address. This is the IP address where the satellites will establish the first connection to authenticate and download the configuration. Server certificate-Select the server certificate created for the LSPVN. Certificate Profile-Select the certificate profile created. This is used by the gateway to authenticate satellite when it attempts to establish a tunnel to the gateway. Satellite Configuration In this section, you will configure the network parameters that will be used to establish a tunnel between the gateway and satellite. Tunnel settings • Tunnel interface-Select the tunnel interface that will be used to terminate the IPSec tunnel and to route traffic between the gateway and satellite. In this example, tunnel.1 is used to terminate IPSec tunnels. Enabling anti-replay offers protection against an attacker duplicating encrypted packets by assigning a unique sequence number to each encrypted packet. Copy Type of Service (TOS) option will copy the TOS field settings from the original IP header to the outer IP header. ©2013, Palo Alto Networks, Inc. [11] • • • Configuration refresh interval-The time interval the satellites will refresh the configuration from the gateway. By default the satellite refreshes the gateway configuration every 2 hours. Tunnel Monitoring-Used to monitor the tunnel status. Refer to tunnel monitoring section of this tech note for more details. Crypto Profiles-This is used to define the IPSec encryption and authentication method used for securing the data. The default profile uses ESP-DH group2-AES 128 with SHA-1. Note: You can also define a custom IPSec crypto profile. Satellites will send all the supported crypto profiles to the gateway during the IPSec phase2 negotiation. When you define a custom crypto profile, the satellites will automatically match and use the IPSec crypto profile defined on the gateway. Network Settings Network settings defines the IP address pool to be assigned to the satellite tunnel interfaces, routes that the gateway will advertise to the satellites and optional DNS parameters that will handed out to the satellites once it establishes an IPSec tunnel. If a satellite is configured also has a DHCP server, and you want all the devices protected by the satellite to use the same DNS server settings used on the gateway, you can set primary and secondary DNS server IP addresses and DNS suffixes. Once the satellite establishes the connection, the DHCP server instance on the satellite will inherit DNS server settings, which is propagated and passed on to the hosts configured as DHCP clients connected to the satellite. This is required if the hosts behind the satellite devices needs to access internal resources using the FQDN that are local to your network. In this example, we create an IP pool range from 10.11.12.11 to 10.11.12.25 that will be assigned to the satellite devices and also routes 172.16.0.0/16 (network behind gateway) and 192.168.0.0/16 (summary route of networks protected by satellite) to be advertised to the satellite devices. Satellite to satellite communication is enabled by adding these summary routes for the satellite network. Note: In this example, if you want to disable the satellite to satellite communication, remove the access route 192.168.0.0/16 ©2013, Palo Alto Networks, Inc. [12] Route filter This setting is used to control the routes advertised by the satellites. By checking the option “Accept published routes”, all routes advertised by satellites will be installed in the gateways routing table. This option must be selected in order to accept any routes advertised by the satellite. If you want to be more restrictive on accepting the routes advertised by the satellites, you can configure permitted subnets. For example, if all the satellites are configured with 192.168.x.0/24 subnet on the LAN side, you can configure a permitted route of 192.168.0.0/16 on the gateway. This will result in the gateway accepting the routes from the satellite only if it is in the 192.168.0.0/16 subnet. Note: All directly connected routes that are advertised by the satellites cannot be filtered using the “Permitted subnets’ setting. Satellite Configuration Note: 1. If you are using self signed certificates, you must import the CA server certificate that was used for signing the server certificate to the satellite devices. 2. In order to export the certificate from the portal navigate to “Devices > Certificate Management > Certificates”, select the CA certificate and choose export. When exporting set the file format to “Base64 Encoded Certificate (PEM)”. DO NOT EXPORT PRIVATE KEY 3. On the satellite device, navigate to “Devices > Certificate Management > Certificates and select import. Assign a name to the certificate, set the file format to “Base64 Encoded Certificate (PEM)” , uncheck the “ import private key” and click on OK. To configure the satellite navigate to Network > IPSec tunnels General Configuration ©2013, Palo Alto Networks, Inc. [13] In this section configure the following parameters: • Tunnel Interface • Portal Address • Interface: Egress interface of the satellite that connects to the portal and gateway. • Local IP address- IP address of egress interface of the satellite that connects to the portal and gateway. Note: If the egress interface of the satellite is a DHCP client, the local IP address will display as “NONE” as shown below Advanced Configuration Select the option publish all static and connected routes to gateway. This will add appropriate routes to the satellite network on the gateway. ©2013, Palo Alto Networks, Inc. [14] Note: It is important to note that this option will not publish default a route to the gateway. If you wish to advertise other routes the satellite learned using a dynamic routing protocol, you can add these networks to the list by clicking on the “add” button and specifying the subnets that you want the satellite to advertise to the gateway. Verification Portal/Gateway 1. To view connected satellites, click on satellite info from Network > GlobalProtect > Portal 2. To view gateway status and details about connected satellites click on satellite info from Network > GlobalProtect > Gateway ©2013, Palo Alto Networks, Inc. [15] Satellite 3. To view the satellite run time configuration, click on gateway info at Network > IPSec tunnels High Availability on Gateway The gateway firewalls can be configured in a HA cluster pair for redundancy. All certificates are synchronized automatically to the peer device. Once the tunnel is established, the IPSec SA is also synchronized. In the example below, active/passive HA pair is configured as the gateway. admin@ACME-GW-1(active)> show global-protect-gateway current-satellite GlobalProtect Gateway: ACME-GW (1 Tunnel Name : ACME-GW-S Satellite Satellite Hostname Private IP Public IP Satellite Tunnel IPs Login Time satellites) : : : : : : 0001A100268 santaclara-2 10.11.12.18 10.2.133.249 Oct.18 18:23:30 admin@ACME-GW-2(passive)> show global-protect-gateway current-satellite GlobalProtect Gateway: ACME-GW (1 Tunnel Name : ACME-GW-S Satellite Satellite Hostname Private IP Public IP Satellite Tunnel IPs Login Time satellites) : : : : : : 0001A100268 santaclara-2 10.11.12.18 10.2.133.249 Oct.18 18:24:21 admin@ACME-GW-1(active)> show global-protect-gateway flow-site-to-site tunnel-id 2 tunnel ACME-GW-S id: type: ©2013, Palo Alto Networks, Inc. 2 GlobalProtect-site-to-site [16] local ip: inner interface: ssl cert: active users: 10.2.133.240 tunnel.1 outer interface: ACME-SERVER-CERT 1 ethernet1/10 assigned-ip remote-ip encapsulation ---------------------------------------------------------------------------------------------10.11.12.25 10.2.133.249 IPSec SPI 3A73F3B9 (context 676) admin@ACME-GW-2(passive)> show global-protect-gateway flow-site-to-site tunnel-id 2 tunnel ACME-GW-S id: type: local ip: inner interface: ssl cert: active users: 2 GlobalProtect-site-to-site 10.2.133.240 tunnel.1 outer interface: ACME-SERVER-CERT 1 ethernet1/10 assigned-ip remote-ip encapsulation ---------------------------------------------------------------------------------------------10.11.12.25 10.2.133.249 IPSec SPI 3A73F3B9 (context 598) Configuration example 2: Hub and Spoke VPN with a Backup Hub In this example there are two gateways: • Primary data center • Disaster recovery data center which is the secondary gateway The satellite device establishes tunnels to both the gateways, but uses the tunnel to the primary site to access all the resources. If the primary site becomes unreachable the routes on the satellite device will be automatically updated to use the backup site to access resources. Tunnel monitoring is used to monitor the status of the tunnels. ©2013, Palo Alto Networks, Inc. [17] Note: For the sake of simplicity only the relevant sections of the configuration will be discussed. The portal and gateways are configured with the following networking parameters: Interface Zone IP address Comment Eth1/10 L3-untrust 10.2.133.240 Portal and gateway IP address of the primary gateway. Tunnel.1 L3-VPN 10.11.12.1 Loopback.1 L3-trust 172.16.1.254 Tunnel interface for terminating IPSec connections from satellite. Tunnel monitoring IP address on primary gateway. Eth1/10 L3-untrust 10.2.133.241 Gateway IP address of backup gateway. Tunnel.1 L3-VPN 10.11.12.2 Loopback.1 L3-trust 172.16.1.253 Tunnel interface for terminating IPSec connections from satellite. Tunnel monitoring IP address on primary gateway. Certificate requirements Since there are two gateways used in this configuration, both the gateway must have the server certificate that is signed by the same CA. In this example we are using the primary site firewall as the CA server. In order to create a server certificate on the backup gateway, you will have to export the CA certificate with the private key from the primary firewall and import it to the backup gateway. You will then create a server certificate on the backup gateway signed by the CA certificate that was imported. Step1: Export CA Certificate with Private Key To export the CA certificate and the private key navigate to Device > Certificate Management > Certificates and select the CA certificate and click export. Choose export private key and enter the passphrase to protect the private key and certificate. Step2: Importing the CA Certificate with Key To import the certificate on the backup gateway, navigate to Device > Certificate Management > Certificates and click on import. Assign a name to the certificate, check the “Import private key” option, enter the passphrase and click on OK. ©2013, Palo Alto Networks, Inc. [18] Step3: Generating the Server Certificate Generate the server certificate on the gateway using the CA certificate imported in step2. Note: The common name of this certificate must be the FQDN or IP address of the interface of the gateway where the satellites connect. In this example we use the IP address of 10.2.133.241 as common name of the certificate The screen shot below shows server certificate parameters. Click on generate to create server certificate. Step4: Create a Certificate Profile The certificate profile is used to verify the certificates of every involved party. This specifies the CA server certificate that was used to sign the gateway and the satellite certificate. To create a profile, navigate to Device > Certificate Management > Certificate Profile; add the CA certificate generated earlier. This is the same certificate used to sign the server and satellite certificate. ©2013, Palo Alto Networks, Inc. [19] Portal Configuration Under the satellite configuration section of the portal, enter the IP address or FQDN of the backup gateway. Assign a higher routing priority to backup gateway. This will ensure the routes advertised by the backup gateway to the satellite will have higher metric compared to the same routes advertised by primary gateway. Backup Gateway Configuration To configure the gateway navigate to Network > GlobalProtect > Gateways. • • • • Interface-External facing interface of the portal where the satellite devices establish first connection. In this example, the egress interface is ethernet1/10 IP address-Egress interface IP address. This is IP address where the satellites will establish the first connection to authenticate and download the configuration. Server certificate-Select the server certificate created. Certificate Profile-Select the certificate profile created. This is used by the gateway to authenticate satellites when it attempts to establish a tunnel to the gateway. Under the Satellite Configuration section specify the tunnel settings to use the tunnel interface and IPSec crypto profile. In the network setting specify the IP pool and Access routes. Note: The access routes on the backup gateway are the same as the primary gateway. The IP addresses defined in the IP pool will be used by satellite devices as the tunnel monitor source IP address. This should not overlap with the IP pool defined on the primary gateway. Each gateway must have a unique range of IP addresses used in the IP pool. ©2013, Palo Alto Networks, Inc. [20] Tunnel Monitoring Tunnel monitoring enables the satellite devices to track the connection state to the gateway. Tunnel monitoring must be configured only on the gateways. It is not required to configure tunnel monitoring on the satellite since the tunnel monitor setting configured on the gateways are published to the satellite. The tunnel monitor action must be set to fail over. In the event the primary gateway fails the satellite automatically sends all traffic to the backup gateway. Creating Monitor Profile To create a monitor profile navigate to Network > Monitor. In this example, we create a monitor profile with parameters shown below. Note: The action must be set to Fail Over. Enabling Tunnel Monitor on the Gateway Tunnel monitoring is enabled in the satellite configuration section of the gateway as shown below. Please note the destination IP must be different for each gateway. If no destination IP is provided, the IP address of the tunnel interface is used for monitoring. ©2013, Palo Alto Networks, Inc. [21] Verification Satellite 1. To view the satellite run time configuration click on gateway info at Network > IPSec tunnels. 2. To view the active gateway connection details: admin@santaclara-1> show global-protect-satellite interface tunnel.1 Interface Gateway Address IP Address DNS Servers DNS Suffixes ©2013, Palo Alto Networks, Inc. : : : : : : tunnel.1 10.2.133.240 10.11.12.12 10.0.0.246 10.0.0.247 acme.local [22] In the above example, the gateway with IP address 10.2.133.240 is the preferred gateway because of the lowest routing priority. 3. To view details of all available gateways: admin@santaclara-1> show global-protect-satellite current-gateway GlobalProtect Satellite : To-CORP-GW-1 (2 gateways) Gateway Info: 10.2.133.240 Get Config State: Refresh Time (seconds) : 7200 Failed Refresh Time (seconds) : 300 Current Get Config : success Max Get Config Retries : 34 Number Get Config Failed : 0 Config Timer Activated : yes Next Get Config Time (seconds) : 6280 Cached Get Config Time (seconds) : 0 Failed Reason : Portal Config: GlobalProtect Gateway Name GlobalProtect Gateway Address Priority : HQ-1 : 10.2.133.240 : 1 Gateway Config: Gateway Tunnel Name Gateway Tunnel Interface Gateway Tunnel id Gateway Tunnel IP Gateway Additional Tunnel IPs Status Status Time Reason : : : : : : : : ACME-GW-S tunnel.1 4 10.11.12.1 : : : : : : : : : : : : : : 2 10.11.12.12 10.11.12.1 255.255.255.255 172.16.0.0/16 192.168.0.0/16 10.0.0.246/32 10.0.0.247/32 172.16.1.254/32 : : : : : : : Yes 3 seconds fail-over 5 attempts 10.11.12.12 172.16.1.254 Up Config Refresh Time (hours) IP Address Default Gateway Netmask Access Routes Denied Routes Duplicate Routes DNS Servers DNS Suffixes Tunnel Tunnel Tunnel Tunnel Tunnel Tunnel Tunnel Monitor Monitor Monitor Monitor Monitor Monitor Monitor Enabled Interval Action Threshold Source Destination Status Active Oct.13 10:09:06 Tunnel monitoring up 10.0.0.246 10.0.0.247 acme.local ------------------------------------------------------------------------------ ©2013, Palo Alto Networks, Inc. [23] Gateway Info: 10.2.133.241 Get Config State: Refresh Time (seconds) Failed Refresh Time (seconds) Current Get Config Max Get Config Retries Number Get Config Failed Config Timer Activated Next Get Config Time (seconds) Cached Get Config Time (seconds) Failed Reason : : : : : : : : : 7200 300 success 34 0 yes 5637 0 Portal Config: GlobalProtect Gateway Name GlobalProtect Gateway Address Priority : HQ-2 : 10.2.133.241 : 25 Gateway Config: Gateway Tunnel Name Gateway Tunnel Interface Gateway Tunnel id Gateway Tunnel IP Gateway Additional Tunnel IPs Status Status Time Reason : : : : : : : : ACME-GW-1-S tunnel.1 4 10.11.12.2 : : : : : : : : : : : : : : 2 10.11.12.16 10.11.12.2 255.255.255.255 172.16.0.0/16 192.168.0.0/16 10.0.0.246/32 10.0.0.247/32 172.16.1.253/32 : : : : : : : Yes 3 seconds fail-over 5 attempts 10.11.12.111 172.16.1.253 Up Config Refresh Time (hours) IP Address Default Gateway Netmask Access Routes Denied Routes Duplicate Routes DNS Servers DNS Suffixes Tunnel Tunnel Tunnel Tunnel Tunnel Tunnel Tunnel Monitor Monitor Monitor Monitor Monitor Monitor Monitor Enabled Interval Action Threshold Source Destination Status Active Oct.13 09:58:39 Tunnel monitoring up 10.0.0.246 10.0.0.247 acme.local 4. To view routes advertised by the gateways to satellite: admin@santaclara-1> show routing route interface tunnel.1 flags: A:active, ?:loose, C:connect, H:host, S:static, ~:internal, R:rip, O:ospf, B:bgp, Oi:ospf intra-area, Oo:ospf inter-area, O1:ospf ext-type-1, O2:ospf exttype-2 ©2013, Palo Alto Networks, Inc. [24] VIRTUAL ROUTER: default (id 1) ========== destination nexthop metric flags 10.0.0.246/32 10.11.12.1 10 A S 10.0.0.246/32 10.11.12.2 250 10.0.0.247/32 10.11.12.1 10 10.0.0.247/32 10.11.12.2 250 10.11.12.1/32 10.11.12.1 10 age interface tunnel.1 S tunnel.1 A S tunnel.1 S tunnel.1 A S tunnel.1 next-AS _____ OUTPUT TRUNCATED-------------------------------------- Note: The routes published by the backup gateway are not active because of its higher metric of 250. This metric is derived from the higher routing priority assigned to the gateway. When tunnel monitor detects a failure, the routing table on the satellite is updated to use backup gateway. admin@santaclara-1> show global-protect-satellite current-gateway GlobalProtect Satellite : To-CORP-GW-1 (2 gateways) Gateway Info: 10.2.133.240 Get Config State: Refresh Time (seconds) : 7200 Failed Refresh Time (seconds) : 300 Current Get Config : fail Max Get Config Retries : 34 Number Get Config Failed : 1 Config Timer Activated : yes Next Get Config Time (seconds) : -8 Cached Get Config Time (seconds) : 6567 Failed Reason : connection failed Recommended Action : request global-protect-satellite get-gatewayconfig gateway-address 10.2.133.240 satellit e To-CORP-GW-1 Portal Config: GlobalProtect Gateway Name GlobalProtect Gateway Address Priority : HQ-1 : 10.2.133.240 : 1 Gateway Config: Gateway Tunnel Name Gateway Tunnel Interface Gateway Tunnel id Gateway Tunnel IP Gateway Additional Tunnel IPs Status Status Time Reason : : : : : : : : ©2013, Palo Alto Networks, Inc. ACME-GW-S tunnel.1 4 10.11.12.1 Active Oct.13 11:01:45 Tunnel monitoring down, reconnecting [25] admin@santaclara-1> show routing route interface tunnel.1 flags: A:active, ?:loose, C:connect, H:host, S:static, ~:internal, R:rip, O:ospf, B:bgp, Oi:ospf intra-area, Oo:ospf inter-area, O1:ospf ext-type-1, O2:ospf ext-type-2 VIRTUAL ROUTER: default (id 1) ========== destination nexthop metric flags 10.0.0.246/32 10.11.12.2 250 A S age interface tunnel.1 10.0.0.247/32 10.11.12.2 250 A S tunnel.1 10.11.12.1/32 10.11.12.1 10 A S tunnel.1 10.11.12.2/32 10.11.12.2 10 A S tunnel.1 next-AS Useful commands Gateway/Portal show global-protect-gateway gateway type satellite- To view the gateway configuration summary. show global-protect-gateway flow-site-to-site- To view the established tunnel state. show global-protect-gateway flow-site-to-site tunnel-id <number> or show global-protect-gateway flow-site-to-site name <tunnel name > - To view the established tunnel details. You can view the tunnel-id using the command - show globalprotect-gateway flow-site-to-site show global-protect-gateway current-satellite- To view the details of current satellite. Satellite request global-protect-satellite get-gateway-config satellite <name> gateway-address <ip_address>- To fetch the configuration from the gateway if any configuration changes are made to the gateway. By default, the gateway configuration is refreshed every 2 hrs. request global-protect-satellite get-portal-config satellite <name>- To fetch the configuration from portal. By default, the gateway configuration is refreshed every 24 hrs. test global-protect-satellite gateway-connect gateway-address <IP address> method activation satellite <name>- Trigger GlobalProtect satellite connects to gateways. Troubleshooting Satellite Unable to Connect to the Portal Missing CA certificate When using self signed certificates, the CA certificate that is used for the signing certificates must be loaded on the satellite devices. If the satellite device is missing CA certificate satellite will not be able authenticate to the portal. On the satellite you can view the portal status by going to Network > IPSec Tunnels and choose gateway information. You will see the message “Certificate was not trusted”. ©2013, Palo Alto Networks, Inc. [26] Missing Serial Number on the Portal If the serial number of the satellite is not listed in the portal, the portal will reject the connection from satellite. On the satellite you can view the portal status by going to Network > IPSec Tunnels and choose gateway information. The system logs on the satellite will also show connection failed. Filter logs by ( subtype eq satd ) Summary The Large Scale VPN solution enables enterprise network administrators to quickly deploy several branch offices or telecommuters to securely access resources at a central site with minimum amount of configuration required on the remote devices. Combined with Palo Alto Networks App-ID, Content-ID, and User-ID, this feature provides a comprehensive security solution to extend distributed networks. ©2013, Palo Alto Networks, Inc. [27] Revision History Date 2/13/2013 Revision B Comment In the Satellite Configuration Note near the bottom of page 13, item 2 states “select the CA certificate and choose export”. This was updated to import. The note near the bottom of page 20 stats “This should overlap with the IP pool”. This was updated to “should not overlap”. 11/08/2012 A ©2013, Palo Alto Networks, Inc. First release of this document. [28]
