https://live.paloaltonetworks.com/t5/general-topics/globalprotect-portal-availability/m-p/175276#M54947 <P>Hello, &nbsp;</P><P>&nbsp;</P><P>We have a primary and secondary datacenter. &nbsp;We have a Palo NGFW with Portal and GW configured at our primary DC and a second Palo NGFW configured as an additional GW at our secondary DC. &nbsp;Portal configuration has both GW's setup with the primary datacenter GW as higher priority. &nbsp;If the primary datacenter fails or access to the portal fails, will the existing clients with existing configurations just connect to the secondary datacenter? &nbsp;I understand that the clients need to talk with the portal to get the initial configurations and specifically the list of GWs but after they have this, can the portal fail and they will just connect via the priority 2 GW without access to the portal? &nbsp;</P><P>&nbsp;</P><P>If the Portal is absolutely necessary for client connections each and every time (even if there are no updates to configuration), is there a better means to deal with a single portal and multiple GWs in different datacenters? &nbsp;Or do i just default to setting up the secondary datacenter Palo NGFW as its own independant portal and gw and just use the same DNS name/cert and change DNS record in the case of a failure?</P> Wed, 06 Sep 2017 22:16:54 GMT Baker1 2017-09-06T22:16:54Z https://live.paloaltonetworks.com/t5/general-topics/globalprotect-portal-availability/m-p/175276#M54947 <P>Hello, &nbsp;</P><P>&nbsp;</P><P>We have a primary and secondary datacenter. &nbsp;We have a Palo NGFW with Portal and GW configured at our primary DC and a second Palo NGFW configured as an additional GW at our secondary DC. &nbsp;Portal configuration has both GW's setup with the primary datacenter GW as higher priority. &nbsp;If the primary datacenter fails or access to the portal fails, will the existing clients with existing configurations just connect to the secondary datacenter? &nbsp;I understand that the clients need to talk with the portal to get the initial configurations and specifically the list of GWs but after they have this, can the portal fail and they will just connect via the priority 2 GW without access to the portal? &nbsp;</P><P>&nbsp;</P><P>If the Portal is absolutely necessary for client connections each and every time (even if there are no updates to configuration), is there a better means to deal with a single portal and multiple GWs in different datacenters? &nbsp;Or do i just default to setting up the secondary datacenter Palo NGFW as its own independant portal and gw and just use the same DNS name/cert and change DNS record in the case of a failure?</P> Wed, 06 Sep 2017 22:16:54 GMT https://live.paloaltonetworks.com/t5/general-topics/globalprotect-portal-availability/m-p/175276#M54947 Baker1 2017-09-06T22:16:54Z https://live.paloaltonetworks.com/t5/general-topics/globalprotect-portal-availability/m-p/175290#M54950 <P><A href="https://www.paloaltonetworks.com/documentation/80/globalprotect/globalprotect-admin-guide/globalprotect-architecture/globalprotect-reference-architecture-features/monitoring-and-high-availability" target="_self">https://www.paloaltonetworks.com/documentation/80/globalprotect/globalprotect-admin-guide/globalprotect-architecture/globalprotect-reference-architecture-features/monitoring-and-high-availability</A></P><P>&nbsp;</P><P>"...<SPAN>If the portal becomes unavailable, new users (who have never connected to the portal before) will not be able to connect to GlobalProtect. However, existing users can use the cached portal client configuration to connect to one of the gateways."</SPAN></P><P>&nbsp;</P><P><SPAN>Yes, if the portal fails, the clients still have a cached list of gateways where they can connect. &nbsp;</SPAN></P> Wed, 06 Sep 2017 22:40:30 GMT https://live.paloaltonetworks.com/t5/general-topics/globalprotect-portal-availability/m-p/175290#M54950 jvalentine 2017-09-06T22:40:30Z