topic Re: easiest way to move users to 2nd gateway for maintenance on 1st in GlobalProtect Discussions

easiest way to move users to 2nd gateway for maintenance on 1st

sebastianvd — Fri, 26 Mar 2021 12:47:48 GMT

We have an Azure implementation of Palo Alto/GlobalProtect.

We use an Azure LoadBalancer point to 2 Palo Alto firewalls for GP portal connectivity.

Then based on the received config we send the user to the direct interface address of one of the 2 firewalls for gateway connectivity.

No HA, no failover.

What would be the easiest way to have users connect only or migrate to the 2nd gateway ?

I know i can change portal configuration but that does not immediately move users to the second.

Also i can not set the portal/gateway in "maintenance".

How do you guys solve handle this ?

Re: easiest way to move users to 2nd gateway for maintenance on 1st

reaper — Fri, 26 Mar 2021 12:52:15 GMT

The easiest way is simply shutting the gateway down

GlobalProtect will automatically fail over to the other gateway

Alternatively if there is time to prepare you could set the config refresh time very short and when the day comes just remove one gateway and wait for the config refresh to force everyone over

Re: easiest way to move users to 2nd gateway for maintenance on 1st

sebastianvd — Fri, 26 Mar 2021 12:57:05 GMT

Hi,

shutting down is breaking a users connectivity so not the cleanest option in my opinion.

The second, set the config refresh time... When connected to a gateway and the config changes, will the gateway switch ?

Or only at connection setup ?

Re: easiest way to move users to 2nd gateway for maintenance on 1st

Mick_Ball — Fri, 26 Mar 2021 17:19:01 GMT

I just set the gateway tunnel to max user 1, this allows existing connections to carry on but new connections will be denied and forced to next gateway.

we have about 8k user base so upsetting 1 user is a low percentage. you can be really clever and set the timeout to 20 days, connect yourself and stop GP service, then reduce timeout back to normal so you will be the last connected... prob not worth the hassle though for 1 user, especially if it's someone you can't bear... Djagetme......

Re: easiest way to move users to 2nd gateway for maintenance on 1st

sebastianvd — Wed, 31 Mar 2021 07:48:43 GMT

Setting the gateway to max 1, when will existing users be connected to the other gateway?

Re: easiest way to move users to 2nd gateway for maintenance on 1st

Mick_Ball — Wed, 31 Mar 2021 08:34:13 GMT

They will connect to the other gateway when they make a new connection, or of their existing connection times out or you manually log them off from the firewall.

i have tried a few of the other options and this has been the smoothest and least complicated for our setup. perhaps not for others...

removing the gateway from the agent will work as suggested by @reaper but for us with users "always on" it's quite surprising how many cannot connect to the portal on startup due to wifi or lan not ready and when GP then uses cached portal config for connection it still has the old gateway configured.

but of course,,, if you need to do this in an emergency then just shut the gateway down and leave the phone off the hook....