topic Re: Giving users the ability to select a different gateway in GlobalProtect Discussions

Giving users the ability to select a different gateway

StephenGilder — Thu, 25 May 2023 21:22:50 GMT

We have multiple gateways in our environment. Our default agent profile has always on configured. Users are balanced across the gateways.

We have a troubleshooting profile that gives users the option to disconnect and choose to try and switch to a different gateway.
My question is that I would like to configure a profile that is always on but gives the user the option to switch gateways but does not give the option to disable/disconnect from VPN.
Is this possible? If so how?

The reason for this is if users get on to a gateway that doesn't work well for them for what ever reason, they are hitting refresh multiple times until they eventually get to a gateway that works better for them geographically.

Network->Global Protect->Portals->Agent->App->
Configuration: 'Allow user to disconnect GlobalProtect App (Always-on mode)'
This is currently set to Disallow.
The Troubleshooting profile has this set to 'allow with comments'
The ability to choose the gateway seems to be a side effect of allowing it to be disabled.
I don't want to allow disconnect, however, I do want to allow the option shown below to choose a gateway, but I do not see that as an option in the list of configuration items in this area of the config.
Images while connected to the troubleshooting profile:

This is what the normal user agent profile looks like. The Gateway selection is not shown, nor is the disable option:

Re: Giving users the ability to select a different gateway

TomYoung — Thu, 25 May 2023 21:45:22 GMT

Hi @StephenGilder ,

If you want the user to manually select a gateway, you change the Network > GlobalProtect > Portals > [edit portal] > Agent > [edit config] > External > [edit gateway] > Priority > Manual only.

You can combine Manual-only with Always On but GP will not connect until the user selects a gateway. https://docs.paloaltonetworks.com/globalprotect/9-1/globalprotect-admin/globalprotect-quick-configs/mixed-internal-and-external-gateway-configuration.

I am curious if that combination allows the user to switch gateways after they connect. Would you mind testing?

Thanks,

Tom

Re: Giving users the ability to select a different gateway

StephenGilder — Thu, 25 May 2023 22:39:48 GMT

I think you might be on to something! Looking at the existing troubleshooting profile, the manual box is checked for all of the gateways. I was not aware of the setting:

I've cloned the default profile that most users hit and have put just my login on there.
I've now added that manual check box to all the gateways and looks like that did achieve the goal of giving the option to choose manually with out giving the option to disconnect.

I will have to do some more testing to confirm whether or not it truly does stay always on, but I think it will since we have pre-login connections enabled.

Re: Giving users the ability to select a different gateway

StephenGilder — Thu, 25 May 2023 22:44:44 GMT

I looked a little closer at the link you provided. The 'Manual Only' you mentioned is for the Priority.(in blue) However, what I found was a check box that lets the user manually select a gateway. That option appears to be the one I needed (In Yellow)

Re: Giving users the ability to select a different gateway

TomYoung — Thu, 25 May 2023 22:55:07 GMT

Excellent! Thank you for the clarification.

Are you able to switch gateways once connected?

Re: Giving users the ability to select a different gateway

StephenGilder — Thu, 25 May 2023 23:06:42 GMT

Yes. The VPN comes on automatically when the computer boots up and I login and once connected to what ever gateway gets picked based on priority, I am able to hit the drop down and choose a different gateway to connect to.
Works exactly like what I was looking to do.
Thank You very much for pointing me in the right direction!