topic Down a Global Protect Gateway in GlobalProtect Discussions

Down a Global Protect Gateway

DrewNumberTwo — Wed, 04 Dec 2024 21:50:46 GMT

I was presented with a interesting question. If the inside interface of a Firewall hosting an external Gateway is down, will the Palo allow users to still connect to that Gateway

My testing has indicated, yes users will connect but be dead in the water because the firewall has no where to send the on-prem traffic.

If this is correct, then is there any method that would allow us to down the outside interface, GP Tunnel interface, or another method that would prevent users from connecting to a gateway that has a downed inside interface.

Re: Down a Global Protect Gateway

reaper — Tue, 10 Dec 2024 11:41:58 GMT

interesting take 🙂

here's a couple ideas:

1. set the authentication method for your users to an internal server (behind the internal interface) so authentication becomes impossible if that interface goes down

2. set your default route up with path monitoring, and target something internal.

3. actually attach the globalprotect gateway to the internal interface and use NAT to redirect traffic inbound

Re: Down a Global Protect Gateway

DrewNumberTwo — Tue, 10 Dec 2024 14:22:56 GMT

Thanks for the reply and all are good ideas.
1. I think the issue here is that the portal still sends users to a gateway that goes nowhere. The Gateway is not checking to see if it can authenticate prior to accepting users as I understand.
2. The trick here is that you seemingly cannot pull a route from monitoring that is not pinging from that interface. We were unable to get the outside interface with the 0.0.0.0 route to ping inside successfully. Unless we missed something
3. Interesting thought I will maybe have to lab it up to see if that works.