https://live.paloaltonetworks.com/t5/vm-series-in-the-private-cloud/second-global-protect-gateway/m-p/473050#M26 <P>Up to now I've just had a single portal and gateway on an existing PAN 3220 pair.&nbsp;<BR />I had a couple of questions..&nbsp;</P><P>&nbsp;</P><P>1) What determines when traffic gets sent to the second gateway instead of the on-board gateway?</P><P>&nbsp;</P><P>2) Can the same certificate be used for both gateways? I use certificate based authentication. The server certificate on the existing firewall is gp.acme.com - would this same certificate go onto the new gateway as well? I ask as the two gateways would have different IP addresses.&nbsp;<BR /><BR /></P><P>3) If the virtual PAN/secondary gateway was on the inside of DMZ interface of the hardware PAN, would it be still able to serve as the secondary gateway?</P> Mon, 14 Mar 2022 23:57:03 GMT palomed 2022-03-14T23:57:03Z https://live.paloaltonetworks.com/t5/vm-series-in-the-private-cloud/second-global-protect-gateway/m-p/473050#M26 <P>Up to now I've just had a single portal and gateway on an existing PAN 3220 pair.&nbsp;<BR />I had a couple of questions..&nbsp;</P><P>&nbsp;</P><P>1) What determines when traffic gets sent to the second gateway instead of the on-board gateway?</P><P>&nbsp;</P><P>2) Can the same certificate be used for both gateways? I use certificate based authentication. The server certificate on the existing firewall is gp.acme.com - would this same certificate go onto the new gateway as well? I ask as the two gateways would have different IP addresses.&nbsp;<BR /><BR /></P><P>3) If the virtual PAN/secondary gateway was on the inside of DMZ interface of the hardware PAN, would it be still able to serve as the secondary gateway?</P> Mon, 14 Mar 2022 23:57:03 GMT https://live.paloaltonetworks.com/t5/vm-series-in-the-private-cloud/second-global-protect-gateway/m-p/473050#M26 palomed 2022-03-14T23:57:03Z https://live.paloaltonetworks.com/t5/vm-series-in-the-private-cloud/second-global-protect-gateway/m-p/473382#M27 <P>1) What determines when traffic gets sent to the second gateway instead of the on-board gateway?</P><P>-Based on your config on portal.</P><P>-If you choose auto gateway selection with same weight it uses ssl response time. You can see it on PANGPS log and PANGPA logs.</P><P>&nbsp;</P><P>2) Can the same certificate be used for both gateways? I use certificate based authentication. The server certificate on the existing firewall is gp.acme.com - would this same certificate go onto the new gateway as well? I ask as the two gateways would have different IP addresses.&nbsp;</P><P>-For gateway config if you have wildcard certificate which is not recommended but somehow it works you can use.</P><P>-If you have a wildcard certificate which has your two gateway FQDN address&nbsp; as subject alt name it works and recommended you can use.</P><P>Else, (An idea, I did not try.)</P><P>İf you create two DNS record for your VPN gateways and portals example;</P><P>DNS Record1 vpn.acme.com = 1.2.3.4</P><P>DNS Record2 vpn.acme.com = 1.2.3.5</P><P>Same certificate should be usable. User will connect which response (faster one) they get.</P><P>&nbsp;</P><P>You mentioned "I use certificate based authentication. "</P><P>İt is a authentication mechanism which is not related gatway and portal certificate config. You can use same Autjentication Certificate profile for other gateways.</P><P>&nbsp;</P><P>3) If the virtual PAN/secondary gateway was on the inside of DMZ interface of the hardware PAN, would it be still able to serve as the secondary gateway?</P><P>İf its behind NAT (Not reccomended because NAT means you are making packets more small so SSL connections may be fail.) After Creating requered rule on Hardware PAN should work.</P><P>Another Option create sub interfaces on Hardware PAN and serve more than one Portal and Gateway on same firewall (I am running 8 Portal and different gateway on same Hardware PAN).</P><P>&nbsp;</P><P>I suggest before taking action Create a test gateway and portal then see results.</P><P>&nbsp;</P><P>Have a nice day.</P> Tue, 15 Mar 2022 20:22:11 GMT https://live.paloaltonetworks.com/t5/vm-series-in-the-private-cloud/second-global-protect-gateway/m-p/473382#M27 upelister 2022-03-15T20:22:11Z