topic Multiple GlobalProtect gateways on same firewall- ASA to Palo migration in General Topics

Multiple GlobalProtect gateways on same firewall- ASA to Palo migration

Sushilc — Mon, 13 Jun 2016 01:51:01 GMT

Hello there,

I am working on a migration- ASA to Palo. ASA has muliple remote access vpn's setup - all terminating on outside interface ip address. For example, a RA vpn for employees - authenticating against AD, another for contractors- user accounts created locally on ASA. The IP Pool is different in call instances.

Now, I want to create a like for like RA vpn setup on Palo. I understand I can use physical interface public ip address for my portal and 1st gateway.

Question: what about the second gateway? can it be created utilizing the same public ip address so that whether it's an employee or contractor- they all connect to the same public IP address- and depending on how they authenticate they get different access? I will need multiple gateways so as to define 1. first gateway- authenticate via AD, second via LOCAL accounts created on the firewall. Apologies, I am somewhat new to Palo Alto firewalls and this is my 1st projet.

Re: Multiple GlobalProtect gateways on same firewall- ASA to Palo migration

tsrivastav — Mon, 13 Jun 2016 11:37:44 GMT

From the above description i understand that you only want to use multiple gateway so that you can have different authentication profile for different users

If you have used one ip adderss as your gateway you will not be able to call the same ip address again to create a gateway again.

# One solution for your requirement is to use Authentication Sequence.

# Call multiple auth profile in authentication sequence and call this auth sequen under your gateway( in place of auth profile )

some details for auth sequence

In some environments, user accounts reside in multiple directories (for example, local database, LDAP, and RADIUS). An authentication sequence is a set of authentication profiles that the Palo Alto Networks device tries to use for authenticating users when they log in. The device tries the profiles sequentially from the top of the list to the bottom—applying the authentication, Kerberos single sign-on, allows list, and account lockout values for each—until one profile successfully authenticates the user. The device only denies access if all profiles in the sequence fail to authenticate.

I hope this may fulfil you requirements

Thank You

Re: Multiple GlobalProtect gateways on same firewall- ASA to Palo migration

bmorris1 — Mon, 13 Jun 2016 14:41:55 GMT

Hi,

I think the best way to solve this problem would be to have multiple client configurations but only use 1 portal and 1 gateway.

I have grabbed a few screenshots of a simple configuration for you to take a look at below, you can control access based on users & groups in your policies.

hope this helps,

Ben