https://live.paloaltonetworks.com/t5/general-topics/global-protect-and-two-gateway/m-p/33175#M24320 <HTML><HEAD></HEAD><BODY><P>Good Morning Slawek,</P><P>For a multiple gateway scenario, ensure that you have the multiple gateway licenses. In addition to that, the GP users when connecting to the firewalls, would always first authenticate on the portal and then to the gateway. If the users have to be authenticated via Radius, create an authentication sequence that uses both the LDAP and the Radius and use this sequence under the portal authentication, so that if the users connecting to the gateway2, cannot be authenticated via LDAP, then they can fall back to the Radius Authentication. </P><P></P><P>Once they get authenticated, they next connect to the gateway. Ensure that you are using the same Radius server for authenticating when connecting to the Gateway.</P><P></P><P>We can connect to a gateway manually. See the below link that has a video explaining the same:</P><P></P><P><A _jive_internal="true" class="active_link" href="https://live.paloaltonetworks.com/videos/1275">https://live.paloaltonetworks.com/videos/1275</A></P></BODY></HTML> Mon, 24 Jun 2013 13:52:03 GMT kprakash 2013-06-24T13:52:03Z https://live.paloaltonetworks.com/t5/general-topics/global-protect-and-two-gateway/m-p/33171#M24316 <HTML><HEAD></HEAD><BODY><P>Hello</P><P></P><P>I have PA200 without licence for second GP Portal.</P><P>I did a second gateway because I thought that this should solve my problem.</P><P></P><P>I need to let access to some website to my users but with my IP address. Thease people has accounts on radius server. I did second gateway for them.</P><P>I have separate IP and SSL certyfiacate for this, separate config (different VPN network, tunnel interface, authentication profile).</P><P></P><P>But when I try to point to GP Client to use gateway2 as a portal it's complain about certificate. I know that I sould put there a portal url not gateway! - but how to tell to GP client to use second gateway?</P><P></P><P>On my first gateway are logging peopple that has accounts on ActiveDirectory or locally on PA device.</P><P></P><P>I thought of using only one gateway but then I will be unable to recognize users in security policies (create rules for users fro AD different that from Radius.)</P><P></P><P>sorry for my english ... but I hope that you undertand what I'm trying to do.</P><P></P><P>If I'm wrong - in which situation we are using more than one gateway?</P><P></P><P>With regards</P><P>Slawek</P></BODY></HTML> Mon, 24 Jun 2013 11:29:31 GMT https://live.paloaltonetworks.com/t5/general-topics/global-protect-and-two-gateway/m-p/33171#M24316 _slv_ 2013-06-24T11:29:31Z https://live.paloaltonetworks.com/t5/general-topics/global-protect-and-two-gateway/m-p/33172#M24317 <HTML><HEAD></HEAD><BODY><P>you configured 2 portals and 2 gateway ?</P></BODY></HTML> Mon, 24 Jun 2013 11:34:53 GMT https://live.paloaltonetworks.com/t5/general-topics/global-protect-and-two-gateway/m-p/33172#M24317 Retired Member 2013-06-24T11:34:53Z https://live.paloaltonetworks.com/t5/general-topics/global-protect-and-two-gateway/m-p/33173#M24318 <HTML><HEAD></HEAD><BODY><P>I configured one portal and two gateways.</P></BODY></HTML> Mon, 24 Jun 2013 11:43:34 GMT https://live.paloaltonetworks.com/t5/general-topics/global-protect-and-two-gateway/m-p/33173#M24318 _slv_ 2013-06-24T11:43:34Z https://live.paloaltonetworks.com/t5/general-topics/global-protect-and-two-gateway/m-p/33174#M24319 <HTML><HEAD></HEAD><BODY><P>"But when I try to point to GP Client to use gateway2 as a portal it's complain about certificate"</P><P></P><P>You can't do that.every client should connect to portal first.</P><P>you need a license for 2 gateways</P><P>without license you can only use</P><P>2portals each have one gateway</P></BODY></HTML> Mon, 24 Jun 2013 11:47:13 GMT https://live.paloaltonetworks.com/t5/general-topics/global-protect-and-two-gateway/m-p/33174#M24319 Retired Member 2013-06-24T11:47:13Z https://live.paloaltonetworks.com/t5/general-topics/global-protect-and-two-gateway/m-p/33175#M24320 <HTML><HEAD></HEAD><BODY><P>Good Morning Slawek,</P><P>For a multiple gateway scenario, ensure that you have the multiple gateway licenses. In addition to that, the GP users when connecting to the firewalls, would always first authenticate on the portal and then to the gateway. If the users have to be authenticated via Radius, create an authentication sequence that uses both the LDAP and the Radius and use this sequence under the portal authentication, so that if the users connecting to the gateway2, cannot be authenticated via LDAP, then they can fall back to the Radius Authentication. </P><P></P><P>Once they get authenticated, they next connect to the gateway. Ensure that you are using the same Radius server for authenticating when connecting to the Gateway.</P><P></P><P>We can connect to a gateway manually. See the below link that has a video explaining the same:</P><P></P><P><A _jive_internal="true" class="active_link" href="https://live.paloaltonetworks.com/videos/1275">https://live.paloaltonetworks.com/videos/1275</A></P></BODY></HTML> Mon, 24 Jun 2013 13:52:03 GMT https://live.paloaltonetworks.com/t5/general-topics/global-protect-and-two-gateway/m-p/33175#M24320 kprakash 2013-06-24T13:52:03Z https://live.paloaltonetworks.com/t5/general-topics/global-protect-and-two-gateway/m-p/33176#M24321 <HTML><HEAD></HEAD><BODY><P>hmm thats interesting why my PA200 dosn't complain about licences during commit proces (when I have one portal and two gateways)</P></BODY></HTML> Tue, 25 Jun 2013 10:32:05 GMT https://live.paloaltonetworks.com/t5/general-topics/global-protect-and-two-gateway/m-p/33176#M24321 _slv_ 2013-06-25T10:32:05Z https://live.paloaltonetworks.com/t5/general-topics/global-protect-and-two-gateway/m-p/33177#M24322 <HTML><HEAD></HEAD><BODY><P>That is because you are configuring Global protect gateway but inside Global Protect Portal defining 2 gateways will change the behaviour.you will get notification for license.</P></BODY></HTML> Tue, 25 Jun 2013 10:50:55 GMT https://live.paloaltonetworks.com/t5/general-topics/global-protect-and-two-gateway/m-p/33177#M24322 Retired Member 2013-06-25T10:50:55Z https://live.paloaltonetworks.com/t5/general-topics/global-protect-and-two-gateway/m-p/33178#M24323 <HTML><HEAD></HEAD><BODY><P>Thank you for all of you.</P><P></P><P>Now i have two portals and it's seems to be working.</P><P>I know that I can use authentication sequence but for second GP portal there must by Radius only auth. </P><P></P><P>Now I have to do NAT with special IP for second GP gateway. I did nat rule with filter for source adresses (second gateway has different network adresses than first) but I stuck with security policy.</P><P>Because both of my GP are in the same zone (on PA200 I have very limited amount of zones) I need to use filter for source addresses. Do I have other options? Can I select users authenticated by radius server? ( I can't see such option but maybe I'm wrong...).</P><P></P><P>My security polices:</P><P><IMG alt="2013-06-25_131832.png" class="jive-image-thumbnail jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/7082_2013-06-25_131832.png" width="450" /></P><P>and security policies</P><P><IMG alt="2013-06-25_131810.png" class="jive-image-thumbnail jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/7083_2013-06-25_131810.png" width="450" /></P><P>In this situation do I need "GP to internet" or "VPN NAT" is enought?</P><P>I put "GP blokada" right after allow policies because I need to limit access to internet only - is it correct?</P><P></P><P>Regards</P><P>SLawek</P></BODY></HTML> Tue, 25 Jun 2013 11:29:07 GMT https://live.paloaltonetworks.com/t5/general-topics/global-protect-and-two-gateway/m-p/33178#M24323 _slv_ 2013-06-25T11:29:07Z