topic Re: Multiple Global Protect gateways on same firewall in General Topics

Multiple Global Protect gateways on same firewall

Nathan.McCart — Thu, 22 Oct 2015 20:52:47 GMT

I have a PA-3020 that will have two ISP connections. Primary ISP interface will be used for the Global Protect Portal and Primary Gateway using tunnel.1. Is it possible to have a second gateway using tunnel.2 on the same firewall using the secondary ISP interface?

Also, if the Portal is only on the primary ISP interface and that connection is down making the Portal unreachable, will the GP Client still connect to the secondary Gateway?

Re: Multiple Global Protect gateways on same firewall

Raido_Rattameister — Thu, 22 Oct 2015 21:05:40 GMT

Yes you can have multiple gateways.

Just run it on interface of diferent isp connection.

Clients should cache gateway information they get from portal so even if portal is down they try to connect to gateways they have in their cache.

Re: Multiple Global Protect gateways on same firewall

OtakarKlier — Thu, 22 Oct 2015 21:06:42 GMT

I know I have used the following to help me out in the past. It should be possible, but its gonna task some whiteboarding to making it work properly.

https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-a-Palo-Alto-Networks-Firewall-with-Dual-ISPs/ta-p/59774

Hope this helps...

Re: Multiple Global Protect gateways on same firewall

Nathan.McCart — Thu, 22 Oct 2015 23:26:11 GMT

I was going to use PBF rules to manage the traffic. Would it be better to have two VRs to handle each ISP routing table?

Re: Multiple Global Protect gateways on same firewall

OtakarKlier — Fri, 23 Oct 2015 13:42:53 GMT

You can use just one, especially if you are using dynamic routing such as OSPF (I have had issues with this in the past without using physical interfaces. There are documents out there that show how to do this with one VR.

Re: Multiple Global Protect gateways on same firewall

Nathan.McCart — Thu, 29 Oct 2015 15:59:44 GMT

I ended up using two virtual routers and it was fine. The ISPs are set up as active/passive so the second gateway is used when the primary gateway is down.

Re: Multiple Global Protect gateways on same firewall

Matteo — Thu, 19 Mar 2020 10:35:22 GMT

but how do you reach the internal if on the interface like lan you can only connect one VR? how do you route the traffic

Re: Multiple Global Protect gateways on same firewall

mariocutroneo — Tue, 24 Mar 2020 09:37:26 GMT

same problem here... how do you route the traffic to the internal lan?
thank you

Re: Multiple Global Protect gateways on same firewall

StevenEerdekens — Fri, 17 Apr 2020 19:06:14 GMT

You have to add the routes of course from one VR to the other, using inter VR routes.

I have it working: even when ISP1 is up, I can connect to both gateways (ISP1 in VR1, ISP2 in VR2) and I can always reach my LAN 192.168.1.0/24

LAN resides in VR1

In VR1 I route the pool of Globalprotect gateway-ISP2 to VR2

In VR2 I route 192.168.1.0/24 to VR1

Re: Multiple Global Protect gateways on same firewall

jdelio — Thu, 04 Mar 2021 21:41:07 GMT

Just to let everyone know that a Blog has been written about this subject here:

https://live.paloaltonetworks.com/t5/blogs/multiple-globalprotect-portals-and-gateways/ba-p/360452

Please be sure to check it out.

Re: Multiple Global Protect gateways on same firewall

NickAssar — Sat, 06 May 2023 02:59:30 GMT

I know this post is fairly old, but thank you for this!! This was such a simple yet brilliant solution to overcome Palo Alto's terrible failure to track which interface a packet came in and should exit out of. This is also the only solution I was able to find that you can concurrently use both gateways on the same firewall over each ISP. Even better, this doesn't require loopback interfaces, NAT'ing, PBF rules, or even any sort of manual intervention when a failure occurs.