GlobalProtect GW redundancy and preemption

UrosSustar — Mon, 12 Sep 2022 13:13:11 GMT

Does anyone know if GW preemption can be achieved with GlobalProtect Agent?

Meaning, that we use primary and secondary GW, whereas secondary GW should be used only in case primary is not reachable.

So far, the failover to secondary GW works perfectly if the primary becomes unreachable, however, as soon the primary becomes available again it doesn't fall back. Primary GW has the highest priority and secondary GW the lowest.

Is such a scenario possible?

Re: GlobalProtect GW redundancy and preemption

Adrian_Jensen — Mon, 12 Sep 2022 17:26:01 GMT

I do not believe there are any preemption options for the gateway. Failover from the primary to secondary works because the client will automatically try to reconnect when is loses connection to the gateway, so it will test the primary, find it is unreachable, and then fail to the secondary. But when the primary comes back up it is already connected (to the secondary) gateway), so there is no reason to retest. Clients should automatically return to the primary gateway when the maximum VPN lifetime expires, though this may take considerable time (I believe the default is 30 days).

Some options might be: decrease the VPN lifetime; tell clients to manually switch back to the primary; or block the secondary gateway to force clients back to the primary.

topic Re: GlobalProtect GW redundancy and preemption in GlobalProtect Discussions

GlobalProtect GW redundancy and preemption

Re: GlobalProtect GW redundancy and preemption