https://live.paloaltonetworks.com/t5/general-topics/global-protect-architecture/m-p/31199#M22823 <HTML><HEAD></HEAD><BODY><P>I am not sure if I am understanding your question correct. As long as the your local gateways are routable from the clients you should be good.In your case it sounds like you might want to authenticate once to the portal from where you will be routed to your nearest gateway depending upon the preference and ttl wherein you would authenticate again using your local area specific auth profile.Secondly for licensing you might want to refer this following doc:-<A _jive_internal="true" href="https://live.paloaltonetworks.com/docs/DOC-4768">https://live.paloaltonetworks.com/docs/DOC-4768</A> which suggests that a portal license is required for multiple gateways.</P><P>Also refer this tech note:- <A _jive_internal="true" href="https://live.paloaltonetworks.com/docs/DOC-2020">https://live.paloaltonetworks.com/docs/DOC-2020</A></P></BODY></HTML> Fri, 24 May 2013 04:45:32 GMT sraghunandan 2013-05-24T04:45:32Z https://live.paloaltonetworks.com/t5/general-topics/global-protect-architecture/m-p/31198#M22822 <HTML><HEAD></HEAD><BODY><P>Guys ,</P><P>Need some guidance here . One of our client with an MPLS network wants to build a GP network . They are looking at buying a portal for a PA 5050 and have GP gateway licenses for each local box . The issue is the local boxes wre on different networks . All the users will hit the portal and the portal will now send them to their local gateway for authentication and authorization . I think it is possible with service route config and AD authentication .</P><P>Any one have an idea on this ?</P></BODY></HTML> Fri, 24 May 2013 00:14:57 GMT https://live.paloaltonetworks.com/t5/general-topics/global-protect-architecture/m-p/31198#M22822 usvi 2013-05-24T00:14:57Z https://live.paloaltonetworks.com/t5/general-topics/global-protect-architecture/m-p/31199#M22823 <HTML><HEAD></HEAD><BODY><P>I am not sure if I am understanding your question correct. As long as the your local gateways are routable from the clients you should be good.In your case it sounds like you might want to authenticate once to the portal from where you will be routed to your nearest gateway depending upon the preference and ttl wherein you would authenticate again using your local area specific auth profile.Secondly for licensing you might want to refer this following doc:-<A _jive_internal="true" href="https://live.paloaltonetworks.com/docs/DOC-4768">https://live.paloaltonetworks.com/docs/DOC-4768</A> which suggests that a portal license is required for multiple gateways.</P><P>Also refer this tech note:- <A _jive_internal="true" href="https://live.paloaltonetworks.com/docs/DOC-2020">https://live.paloaltonetworks.com/docs/DOC-2020</A></P></BODY></HTML> Fri, 24 May 2013 04:45:32 GMT https://live.paloaltonetworks.com/t5/general-topics/global-protect-architecture/m-p/31199#M22823 sraghunandan 2013-05-24T04:45:32Z https://live.paloaltonetworks.com/t5/general-topics/global-protect-architecture/m-p/31200#M22824 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P>Here is my question . You have a 5050 box with a portal license . It has an ip of 1.1.1.1 from the internet . Internally it has an ip of 10.10.10.1 . The internal is part of an mpls network made up of several independent networks running PAN boxes with GP licenses on them . Cust A has a 2020 with GP gateway license , Customer B has a 2050 . The goal is to have the 5050 portal license serve as the portal for all the PAN boxes with GP gateway licenses . The issue how will the Portal know which Gateway to forward the customer to . Say Cust A users connect to the 5050 portal , it needs to forward their ssl session to the 2020 , Cust B users need to be forwarded to the 2050 etc . That is what we need to figure out . </P></BODY></HTML> Fri, 24 May 2013 16:22:28 GMT https://live.paloaltonetworks.com/t5/general-topics/global-protect-architecture/m-p/31200#M22824 usvi 2013-05-24T16:22:28Z https://live.paloaltonetworks.com/t5/general-topics/global-protect-architecture/m-p/31201#M22825 <HTML><HEAD></HEAD><BODY><P>Also,</P><P>All the boxes are accessible on the MPLS network . </P></BODY></HTML> Fri, 24 May 2013 16:31:18 GMT https://live.paloaltonetworks.com/t5/general-topics/global-protect-architecture/m-p/31201#M22825 usvi 2013-05-24T16:31:18Z