topic Re: GlobalProtect with Active/Active HA in General Topics

GlobalProtect with Active/Active HA

howardtopher — Fri, 07 Sep 2018 01:45:54 GMT

I'm having a hard time finding much, if any, documentation on this scenario. I've tried a couple ways of doing it and they work, but I'm trying to figure out what the best way to do it while being as redundant as possible.

What I like the best so far is to have the portal and a gateway up on a floating IP so it can bounce from one firewall to the other as needed. However, doing that adds a route to the virtual router on both firewalls for the tunnel (client) addresses. If a client connects and gets terminated to the tunnel interface on firewall 1, accesses a service, and then return traffic comes back into firewall 2, it dies because it thinks the client is on that tunnel interface, when it isn't. Does that make sense? If there was a way to have the tunnel interface also follow the floating IP that would be great. This would only install the route on the firewall that needs it.

Another way I thought of doing it is a portal and gateway on firewall 1, and a portal and a gateway on firewall 2. Then in my DNS, the portal DNS record (vpn.domain.com) answers with both portals and the gateway DNS record (gw.domain.com) answers with both gateways. That doubles the configuration that has to be made, but solves the route being installed on both firewalls when clients are only connected to one firewall.

Is there a proper way to do this?

Re: GlobalProtect with Active/Active HA

Mick_Ball — Fri, 07 Sep 2018 12:10:29 GMT

can you not just have different ip pools/subnets for each gateway.

not sure about dual DNS entries as DNS will not offer both addresses, it will round robin between the two.

if gateway 2 goes down then the DNS may still offer GW2.

Re: GlobalProtect with Active/Active HA

howardtopher — Fri, 07 Sep 2018 17:17:47 GMT

Yes, the DNS will round robin, but the expectation is that if a gateway/portal had gone offline users would still be able to get to the remaining one. There might be a delay as the connection times out and DNS gets hit again, Just a thought, but configuring a double of everything is a big pain.

Re: GlobalProtect with Active/Active HA

howardtopher — Tue, 11 Sep 2018 18:24:43 GMT

So here's what I ended up doing.

One portal. It's on a floating IP that floats from firewall to firewall as needed.

Two gateways, one for each firewall. IP is on the interface itself, not floating. Each gateway has its own block of IPs for VPN terminations. Portal is configured to have both gateways with equal priority (let the client decide where to connect).

So far this is the cleanest and removes the routing problem. The only issue is that failover is not clean for users that are currently connected as the client has to terminate one tunnel and reconnect to the other gateway, but it does work.

Re: GlobalProtect with Active/Active HA

Klaverblad — Wed, 17 Feb 2021 06:51:28 GMT

I'd love to see Palo Alto support / moderators monitor threads and add links to official documentation about such topics: Active/active firewall and global protect (and/or panorama). I'd appreciate documentation that provides supported configurations in all possible scenarios including this one.

Re: GlobalProtect with Active/Active HA

M.Nguyen053341 — Fri, 08 Aug 2025 22:25:51 GMT

Just to add an update to this post, how we got Global Protect working on a HA Active Active, running PANOS 11.1.4-h7

One portal (which gets sync'd/shared between two firewalls). It's on a floating IP that floats from firewall to firewall as needed.
The subnet that floating IP is in, is advertised via two static routes, one each on both Active Primary and Active Secondary. For example, if floating IP 192.168.1.20/29 is in 192.168.1.16/29, and the external eBGP neighbor is 10.1.1.10, then next hop for those static routes are to our upstream BGP peers. Active Primary static route has metric 10 and Active Secondary static route has metric of 30. Both static routes are advertised internally via OSPF before being redistributed into BGP.
The floating IP is assigned to loopback.1 interface and loopback.1 interface does not have an IP address assigned to it
There are Two gateways, one for each firewall. Gateway IP is on a physical interface itself, on each firewall, they not floating.
Each gateway has its own block of IPs for VPN terminations.
Portal is configured to have both gateways with equal priority (let the client decide where to connect).
Source NAT is configured for each Gateway for its own block of IPs for VPN termination, from the VPN Zone to the Inside Zone and from VPN Zone to Outside Zone. Add VPN zone to any another zones that you may have, for access to those Zones
Add firewall rule/policy that allows access to Portal IP 4501 UDP and 443. Feel free to secure it with additional Application filtering: panos-global-protect, ssl, web-browsing

Good luck!