03-03-2023 04:53 AM
I currently have my entire environment running on V9.1.15-h1. We currently plan to upgrade the data center VMs and 3220 to 10.1. These also will contain the GP portal and the LSVPN portal. With the firewalls (many 3020s) staying on v9.1.15-h1, will these firewalls have issues connecting to the LSVPN portal?
03-04-2023 09:22 PM
This is going to cause issues with the default behavior change introduced with PAN-OS 10.1 if you authenticate using serial numbers. With 10.1.7 and later you can specify 1-5 years after the initial manual authentication once you have the satellite cookie, but it doesn't remove the actual manual authentication and if you set the lifetime to years you'll arguably have a bigger issue with people remembering the cookie expiration and the requirement to manually authenticate.
Satellite Authentication
Beginning with PAN-OS 10.1, satellites can no longer perform initial authentication to the portal using only the satellite serial number. Instead, the satellite administrator must manually authenticate to the portal using the username and password associated with a local database authentication profile to establish the initial connection with the portal. Upon successful authentication, the portal generates a satellite cookie, which it uses to authenticate the satellite on subsequent sessions. The cookie lifetime is 180 days, after which the satellite administrator must manually authenticate again in order for the portal to issue a new cookie. This behavior is only supported on PAN-OS 10.1 or later releases. If you have a portal running 10.1 or later, with satellites running an earlier version of PAN-OS, the satellites will no longer be able to authenticate to the portal. Additionally, any satellites running on PAN-OS 10.1 or later that previously authenticated using serial numbers will require manual authentication.
03-04-2023 09:22 PM
This is going to cause issues with the default behavior change introduced with PAN-OS 10.1 if you authenticate using serial numbers. With 10.1.7 and later you can specify 1-5 years after the initial manual authentication once you have the satellite cookie, but it doesn't remove the actual manual authentication and if you set the lifetime to years you'll arguably have a bigger issue with people remembering the cookie expiration and the requirement to manually authenticate.
Satellite Authentication
Beginning with PAN-OS 10.1, satellites can no longer perform initial authentication to the portal using only the satellite serial number. Instead, the satellite administrator must manually authenticate to the portal using the username and password associated with a local database authentication profile to establish the initial connection with the portal. Upon successful authentication, the portal generates a satellite cookie, which it uses to authenticate the satellite on subsequent sessions. The cookie lifetime is 180 days, after which the satellite administrator must manually authenticate again in order for the portal to issue a new cookie. This behavior is only supported on PAN-OS 10.1 or later releases. If you have a portal running 10.1 or later, with satellites running an earlier version of PAN-OS, the satellites will no longer be able to authenticate to the portal. Additionally, any satellites running on PAN-OS 10.1 or later that previously authenticated using serial numbers will require manual authentication.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
