topic Re: global protect multiple portal issue in General Topics

global protect multiple portal issue

NIRAVK9 — Wed, 15 Nov 2017 16:43:07 GMT

We want to configure Portal level redundancy in Global protect .If we bind 2 IPs of 2 different location firewalls to our portal address then how does clinent interpret the DNS resolution .after how much time client will try on another system

Re: global protect multiple portal issue

bmorris1 — Wed, 15 Nov 2017 17:05:28 GMT

Hi @NIRAVK9,

You would need a script to automatically modify the DNS record if the 1st site was to go down. You can poll the firewall to see if it is up/interface up using SNMP.

Though you can set the portal cookie to stay for a week on clients so they only need to connect to the portal once every 5-7 days, this is usually enough time to get the portal up and running again if it goes down (RMA/case with ISP etc.).

Alternatively you could look at GP in the cloud?

https://www.paloaltonetworks.com/products/innovations/globalprotect-cloud-service

hope this helps,

Ben

Re: global protect multiple portal issue

Mick_Ball — Wed, 15 Nov 2017 17:16:50 GMT

@bmorris1. Hi..

Though you can set the portal cookie to stay for a week on clients so they only need to connect to the portal once every 5-7 days

is this in the GP App config,

Re: global protect multiple portal issue

NIRAVK9 — Thu, 16 Nov 2017 09:34:05 GMT

@bmorris1thankyou for the response. Whwre can i find the cookie setting?

if i map 2 IPs to portal address,then whether GP client will try to both Ips one by one ??

Re: global protect multiple portal issue

bmorris1 — Thu, 16 Nov 2017 09:49:32 GMT

@Mick_Ball

Yes it is in the GP app config, in the GP portal

@NIRAVK9 I'm not sure on this one as I have never done it myself as I've never needed portal redundancy due the above cookie authentication.

A solution may be to allow users to change the portal address and use different portals but the same gateways. GP should connect to the gateway that responds first.

Re: global protect multiple portal issue

Mick_Ball — Thu, 16 Nov 2017 09:55:15 GMT

if DNS resolves to 2 ip addresses your globalprotect client will only recieve 1.

if the portal connection fails then nothing else will happen.

if you reconnect GP then it may get the same address or it may get the second address. it's pretty random and probably not a good idea to use this for redundancy.

this is known as DNS "round robin"

i would still like to know also about the cookie setting. where is it...

Re: global protect multiple portal issue

Mick_Ball — Thu, 16 Nov 2017 09:57:07 GMT

sorry @bmorris1, just posted after you...

Re: global protect multiple portal issue

NIRAVK9 — Thu, 16 Nov 2017 10:04:03 GMT

BUt isn't this cookie only for authnetication prupose.?

or the cookie also saves the gateways sent to client during previous connect to portal?

Re: global protect multiple portal issue

Mick_Ball — Thu, 16 Nov 2017 10:10:31 GMT

cookie authentication.,,,,,,,

i dont think "cookie auth" answers your question but if you use GP with portal auth only that generates a cookie for the gateway auth then you will need to extend this for when your portal fails.

i don't think the cached portal ever expires. i only say this because i cannot see any info/help/advice.

somebody else can jump in if they can advise further.

Re: global protect multiple portal issue

NIRAVK9 — Thu, 16 Nov 2017 10:15:04 GMT

Thankyou @bmorris1 .

Just to make my question more clearer

What i am looking for is that when my primary portal fails/goes down then

1) whether client still try to get the gateway from its cache and connect to one of the gateway which was given to it when it last conencted to portal

2) whether thwere is any way at DNS provider end that i can change the IP mapped to portal address to my secondary location address

Re: global protect multiple portal issue

Mick_Ball — Thu, 16 Nov 2017 10:22:04 GMT

@NIRAVK9.

1) whether client still try to get the gateway from its cache and connect to one of the gateway which was given to it when it last conencted to portal

Yes.

2) whether thwere is any way at DNS provider end that i can change the IP mapped to portal address to my secondary location address

yes. we have access tou our DNS records and can change them any time. this will depend on your provider. you may have to call/log a call with them.

please note that it will not be an immediate change. DNS replication is quite fast these days but it could take up to 24 hours to fully replicate across www.

Re: global protect multiple portal issue

NIRAVK9 — Thu, 16 Nov 2017 10:32:09 GMT

1) so for first is there ant way i can see where is this cache stored in users machine and how long it will be there?

Re: global protect multiple portal issue

Mick_Ball — Thu, 16 Nov 2017 10:49:11 GMT

i have no idea, i doubt you will be able to see it.

Re: global protect multiple portal issue

Mick_Ball — Thu, 16 Nov 2017 10:51:48 GMT

in you host file within windows you could try to add your portal to a non existent address. try to connect GP and check to see what it says in the logs.

i've only ever seen "using cached portal" but there may be other info...