https://live.paloaltonetworks.com/t5/general-topics/add-backup-globalprotect-portal-to-globalprotect-client/m-p/1222654#M123501 <P>You need to add the second portal from the GP client on the PC. Click the GP client in the taskbar to open, click the menu icon in the upper-right corner and select "Settings", under the Connections section - Manage Portals and click the plus icon to add another Portal. Then you will be able to select the second Portal from the GP client Portal dropdown. You can also push these from a GPO/startup settings, but its a bit of a pain after the fact.</P> <P>&nbsp;</P> <P>Or you could do dual Portal A records and use a single name. Both Portals will need a security certificate with the hostname matching the A record.</P> Wed, 05 Mar 2025 00:18:46 GMT Adrian_Jensen 2025-03-05T00:18:46Z https://live.paloaltonetworks.com/t5/general-topics/add-backup-globalprotect-portal-to-globalprotect-client/m-p/1222327#M123451 <P>On our PA-1410 under Network - GlobalProtect - Portals - each of our portals (one on each interface for each ISP) - Agent - Agent Config - External Gateway I added gp2.domain.com to go along with gp.domain.com.&nbsp;</P> <P>I was thinking (hoping) that would update the GlobalProtect client to add the gp2.domain.com to the GlobalProtect client as a failover just in case gp.domain.com was not reachable. Don't care about load balancing the GP clients, just adding a level of redundancy to the client side.</P> <P>I don't think I am doing this right and figure there is another way to add a failover portal. Where should I be adding that? Or do I need to do something with the client on each machine?</P> <P>Thanks for any pointers!</P> Sat, 01 Mar 2025 01:38:58 GMT https://live.paloaltonetworks.com/t5/general-topics/add-backup-globalprotect-portal-to-globalprotect-client/m-p/1222327#M123451 inSync-MarkValpreda 2025-03-01T01:38:58Z https://live.paloaltonetworks.com/t5/general-topics/add-backup-globalprotect-portal-to-globalprotect-client/m-p/1222335#M123455 <P>You create only 1 portal.</P> <P>Run it on DMZ interface (2x ISP IPs natted to that DMZ IP tcp/80, tcp/443 and udp/4501).</P> <P>If your users are ok to add https:// manually in front of the portal to access portal address then 80 is not needed. Otherwise Palo will automatically redirect 80 to 443.</P> <P>Set up 2 A records pointing to 2 different ISP IPs (so DNS resolution gives back 2 IPs for same portal).</P> <P>Agent picks one of those IPs randomly to connect to portal.</P> <P>&nbsp;</P> <P>For gateways you set up 2 separate DNS records</P> <P>vpn-isp1.company.com</P> <P>vpn-isp2.company.com</P> <P>&nbsp;</P> <P>Run gateway on same DMZ portal natting public IPs to DMZ IP.</P> <P>Portal config hands out 2 gateways to agents.</P> <P>&nbsp;</P> <P>Agents perform latency test and connect through ISP that is closer by.</P> Sat, 01 Mar 2025 19:10:12 GMT https://live.paloaltonetworks.com/t5/general-topics/add-backup-globalprotect-portal-to-globalprotect-client/m-p/1222335#M123455 Raido_Rattameister 2025-03-01T19:10:12Z https://live.paloaltonetworks.com/t5/general-topics/add-backup-globalprotect-portal-to-globalprotect-client/m-p/1222424#M123469 <P>Appreciate the answer. I have inherited this set up, so all that configuration sounds a bit daunting! Is there anything I can do with the current setup to get the client to add another gateway? Maybe just add another DNS entry externally?</P> Mon, 03 Mar 2025 16:19:24 GMT https://live.paloaltonetworks.com/t5/general-topics/add-backup-globalprotect-portal-to-globalprotect-client/m-p/1222424#M123469 inSync-MarkValpreda 2025-03-03T16:19:24Z https://live.paloaltonetworks.com/t5/general-topics/add-backup-globalprotect-portal-to-globalprotect-client/m-p/1222438#M123471 <P>Gateways can be added under:</P> <P>Network &gt; GlobalProtect &gt; Portals &gt; Portal-Name &gt; Agent &gt; Agent-config-name &gt; External</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Raido_Rattameister_0-1741020081422.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/66288i0C2D32233D358F54/image-size/medium?v=v2&amp;px=400" role="button" title="Raido_Rattameister_0-1741020081422.png" alt="Raido_Rattameister_0-1741020081422.png" /></span></P> <P>&nbsp;</P> Mon, 03 Mar 2025 16:41:33 GMT https://live.paloaltonetworks.com/t5/general-topics/add-backup-globalprotect-portal-to-globalprotect-client/m-p/1222438#M123471 Raido_Rattameister 2025-03-03T16:41:33Z https://live.paloaltonetworks.com/t5/general-topics/add-backup-globalprotect-portal-to-globalprotect-client/m-p/1222466#M123479 <P>Thank you. I will give that a shot and see how it goes.</P> Mon, 03 Mar 2025 20:42:53 GMT https://live.paloaltonetworks.com/t5/general-topics/add-backup-globalprotect-portal-to-globalprotect-client/m-p/1222466#M123479 inSync-MarkValpreda 2025-03-03T20:42:53Z https://live.paloaltonetworks.com/t5/general-topics/add-backup-globalprotect-portal-to-globalprotect-client/m-p/1222642#M123498 <P>I run two portals, each on its own ISP interface and routing tables, with multiple Gateways as well. That way you can have different config options on different Portals/Gateways and redirect clients to one or the other based on demand. It also allows you to have test Portals/Gateways for new configs without disturbing active clients.</P> Tue, 04 Mar 2025 21:16:07 GMT https://live.paloaltonetworks.com/t5/general-topics/add-backup-globalprotect-portal-to-globalprotect-client/m-p/1222642#M123498 Adrian_Jensen 2025-03-04T21:16:07Z https://live.paloaltonetworks.com/t5/general-topics/add-backup-globalprotect-portal-to-globalprotect-client/m-p/1222653#M123500 <P>I added the additional external portals on the PA-1410 but not seeing it on the client. Unless I am not looking in the right place....</P> <P>If I go to settings in GP, I see just a single portal listed.</P> <P>Should I just have 2x A entries in DNS for gp.domain.com instead?&nbsp;</P> Tue, 04 Mar 2025 23:28:43 GMT https://live.paloaltonetworks.com/t5/general-topics/add-backup-globalprotect-portal-to-globalprotect-client/m-p/1222653#M123500 inSync-MarkValpreda 2025-03-04T23:28:43Z https://live.paloaltonetworks.com/t5/general-topics/add-backup-globalprotect-portal-to-globalprotect-client/m-p/1222654#M123501 <P>You need to add the second portal from the GP client on the PC. Click the GP client in the taskbar to open, click the menu icon in the upper-right corner and select "Settings", under the Connections section - Manage Portals and click the plus icon to add another Portal. Then you will be able to select the second Portal from the GP client Portal dropdown. You can also push these from a GPO/startup settings, but its a bit of a pain after the fact.</P> <P>&nbsp;</P> <P>Or you could do dual Portal A records and use a single name. Both Portals will need a security certificate with the hostname matching the A record.</P> Wed, 05 Mar 2025 00:18:46 GMT https://live.paloaltonetworks.com/t5/general-topics/add-backup-globalprotect-portal-to-globalprotect-client/m-p/1222654#M123501 Adrian_Jensen 2025-03-05T00:18:46Z https://live.paloaltonetworks.com/t5/general-topics/add-backup-globalprotect-portal-to-globalprotect-client/m-p/1222796#M123516 <P>This solution adds additional "Change Gateway" droppdown.</P> <P>If it is not visible it means your agent has not refreshed config from portal yet.</P> <P>Click on hamburger menu in GlobalProtect agent (3 lines top right) and choose "Refresh Connection" to force config sync from portal to agent.</P> <P>&nbsp;</P> <P>Adding second portal is more cumbersome to the user but can be done from agent itself if needed.</P> Wed, 05 Mar 2025 16:18:37 GMT https://live.paloaltonetworks.com/t5/general-topics/add-backup-globalprotect-portal-to-globalprotect-client/m-p/1222796#M123516 Raido_Rattameister 2025-03-05T16:18:37Z