topic Re: Multiple Portals/Gateways in GlobalProtect Discussions

Multiple Portals/Gateways

GFN182 — Wed, 22 Sep 2021 18:25:56 GMT

GP on the fw is setup and working. I have a group of users i need to isolate from everyone else - most of the time.So if they use the url vpn1.mydomain.com they get IP Pool X and specific X policies. If they use url vpn2.mydomain.com they get IP Pool Y and specific Y policies.

It seems like i should be able to setup multiple portals and gateways on an interface but i want some confirmation before i start working with a production environment.

Re: Multiple Portals/Gateways

TomYoung — Wed, 22 Sep 2021 18:56:57 GMT

Hi @GFN182 ,

The straightforward solution is to use source user in the security policy to isolate the users without having to build multiple gateways. GP has User-ID built-in. I like keeping all of my security configuration in one place.

Thanks,

Tom

Re: Multiple Portals/Gateways

Mick_Ball — Wed, 22 Sep 2021 19:15:09 GMT

I would go with @TomYoung suggestion.

just one portal with one gateway, then the gateway can have many configs that can differentiate between users vi user-id and distribute ip as required.

or just have the same gateway for all and base your policies on user-id only.....

Re: Multiple Portals/Gateways

GFN182 — Wed, 22 Sep 2021 19:20:11 GMT

Unfortunately the same user Id has multiple requirements.

Re: Multiple Portals/Gateways

reaper — Wed, 22 Sep 2021 19:24:18 GMT

Unless the authentication needs to be different, you can definitely stick to one portal.

Each gateway can have multiple configurations based on user group membership so you can assign different subnets to each user group.

In addition you can reuse those user groups in security rules to limit which access each group gets

If they need to be able to choose when they take certain access, you can set up 2 gateways on the one portal and allow them to pick which one to connect to manually. You can then assign them one IP pool on one gateway and another on the second gateway, then set security rules that allow them access based on user group and source subnet

Re: Multiple Portals/Gateways

Mick_Ball — Wed, 22 Sep 2021 19:26:06 GMT

I’m not sure why you would want to do that... could you explain why as it may assist in finding another solutiom.

Re: Multiple Portals/Gateways

TomYoung — Wed, 22 Sep 2021 19:32:43 GMT

Hi @GFN182 ,

Use groups in your security policy. You will need to configure group mapping, but with groups a single user can match multiple security policy rules. The user does not have to change gateways for different access rights.

Thanks,

Tom

Re: Multiple Portals/Gateways

GFN182 — Wed, 22 Sep 2021 19:57:11 GMT

The use case is mutually exclusive. One connection will login to our isolated cyber environment. The other connection will give access to our production environment.

Re: Multiple Portals/Gateways

GFN182 — Wed, 22 Sep 2021 19:58:15 GMT

Except i would belong to both groups

Re: Multiple Portals/Gateways

reaper — Wed, 22 Sep 2021 20:30:22 GMT

One portal, two gateways

GW1. Regular users and caseA access to production, IP poolA

GW2. CaseB access to cyber, IP pool B

Using two gateways allows manual selection to which environment to connect, security rules for user group and subnetA OR subnetB allow access to one or the other

For full segregation you could set up multiple virtual systems and host a gateway on each

Re: Multiple Portals/Gateways

TomYoung — Wed, 22 Sep 2021 22:30:11 GMT

Understood.

Re: Multiple Portals/Gateways

GFN182 — Mon, 27 Sep 2021 14:21:13 GMT

this sounds possible, i will give it a shot

Re: Multiple Portals/Gateways

GFN182 — Mon, 27 Sep 2021 14:22:54 GMT

Working with my SE he recommended using a loopback interface on a different port. He demonstrated this in his lab.

Re: Multiple Portals/Gateways

IT.OPS — Fri, 28 Jan 2022 17:22:55 GMT

I have different purpose (new certificate with different CN) to create a new/parallel portal&gateway (to keep the change transparent for end user/and to keep easy revert back possibilities in worst case), so when i try to create a new por+gw by adding new pub-IP on same internet interface, using new certificate, using new client iP pool range, i get below error while pushing the policy,

. SSLVPN: Invalid IPv4 pool value: xxxxxxxxxxxxxxxxxxx
. (Module: rasmgr)
. SSLVPN: failed to parse IP pool in tunnel xxxxxxxxxxx
. (Module: rasmgr)
. Parsing GlobalProtect gateway multi user configs failure
. (Module: rasmgr)
. Commit failed

I checked multiple times that there is no overlapping of client subnet that i am using, and subnet value is also perfect, its large enough, tried with /24, /22, but still not sure why its giving above error.

Is it possible to configure two portal/gateway on same interface but with two different pub IPs and different tunnel interface and different client IP ranges ?

Re: Multiple Portals/Gateways

GFN182 — Fri, 28 Jan 2022 21:57:18 GMT

you can't use two ip's on the same interface. Use a loopback interface to achieve your goals.