Can I create a dual globalprotect gateway on my firewall with ISP failover?

Gabriel.Buldiman — Fri, 18 Dec 2020 07:15:14 GMT

We have 2 ISP on our PA-850. We have 1 VR with both ISP set as the default route for primary and backup internet (different metrics) with a static route monitoring failover process. I have configured ISP1 for GP-gateway1 and and ISP2 for GP-gateway2. In this case, I wasn't able to connect to the second GP-gateway.

I tried configuring 2 VRs, ISP1 as default route for VR1 and ISP2 as default route for VR2. This way, I was able to connect to both GP gateway simultaneously. How do I do the failover in this scenario? What I want to achieve is, all traffic coming in from internal, ipsec and GlobalProtect regardless of the VR, will forward it on ISP1. If ISP1 will go down, all traffic will shift to ISP2.

Found this article https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClU8CAK

but it doesnt say anything about failover.

Is this doable by using policy based forwarding? if so, how do I configure it on the VRs including the ipsecs and GP tunnels.

Re: Can I create a dual globalprotect gateway on my firewall with ISP failover?

Sarc845 — Fri, 18 Dec 2020 12:01:20 GMT

Hey Gabriel,

I would test using path-monitoring setup similar to the below and create the same for the second route on the SAME VR:

Once the ISP Peer becomes unreachable via ICMP it will remove it from the routing table and fall back to the failover default route:

And then create the same setup for the second VR

EDIT: Remember to set a higher metric for the failover route and note the failover route routes to the next VR

topic Can I create a dual globalprotect gateway on my firewall with ISP failover? in GlobalProtect Discussions

Can I create a dual globalprotect gateway on my firewall with ISP failover?

Re: Can I create a dual globalprotect gateway on my firewall with ISP failover?