topic Re: Multiple URL Global Protect Multiple FQDN in General Topics

Multiple URL Global Protect Multiple FQDN

ChrisGapske — Wed, 11 Dec 2019 16:31:35 GMT

We would like to use multiple URL's to access our Palo with Multiple LDAP authentication.

portal.company1.com

LDAP1

portal.company2.com

LDAP2

portal.company3.com

LDAP3

We could also do like

C1.company.com

LDAP1

C2company.com

LDAP2

C3company.com

LDAP3

Can anybody guide me to a solution so far support has not been super helpfull.

Another is portal.company

with authentication sequence but that requires more work for the users.

I am a little new to Palo could use help .

Re: Multiple URL Global Protect Multiple FQDN

athalman — Wed, 11 Dec 2019 16:46:09 GMT

I'm looking to do something similar. I have 2 Palo's both with a GP gateways setup and I'm thinking of using DNS roundrobin to hit either one of them using a single Portal URL company.domain.

Not sure if this is the best way to do it or not. But basically i want clients to only have to configure 1 Portal URL on the client and then hit either one of my palo's.

Re: Multiple URL Global Protect Multiple FQDN

ChrisGapske — Wed, 11 Dec 2019 16:51:17 GMT

You really want to do multiple gateways then ? This is sorta the other way around.

Re: Multiple URL Global Protect Multiple FQDN

athalman — Wed, 11 Dec 2019 16:57:11 GMT

Yes since I have 2 egress points in my network, each one with a Palo. In case of fail over or an outage at one location, i want my users to hit the other Palo and still have access to the network. I was hoping to achieve this by using a DNS entry with 2 ips pointing to each one of my Gateways. which would have the same name of course.

It's mainly going to be used during maintenance windows/outages really. Either Palo can handle all my VPN connections individually but i'm trying to give the highest VPN availability i can.

Re: Multiple URL Global Protect Multiple FQDN

ChrisGapske — Wed, 11 Dec 2019 17:01:02 GMT

You can do that too. When you use the gateway it allows for that as well as mulitple ip addresses and the client will do the work from there but ... The timeout might be a factor IDk

Re: Multiple URL Global Protect Multiple FQDN

Mick_Ball — Wed, 11 Dec 2019 17:01:53 GMT

@ChrisGapske

could you explain why you need seperate ldap auths for each company.

could you not just set an authentication order for all your ldap profiles and the user will auth to the correct one.

@athalman

this will work as a good RR solution but load balancing will not be guaranteed, do you not have a "Gateway" license.

Re: Multiple URL Global Protect Multiple FQDN

ChrisGapske — Wed, 11 Dec 2019 17:06:25 GMT

Even though we own each company we want them to have that feel.

Each company has its own AD.

I could possibly set an authentication order but than they have to login with like username@ADdomain.local

Also many times we have the same username at both companys.

Re: Multiple URL Global Protect Multiple FQDN

athalman — Wed, 11 Dec 2019 17:07:25 GMT

thanks @Mick_Ball I'm going to test it this Friday evening. I'll let you all know if it works out or not!

Thanks

Re: Multiple URL Global Protect Multiple FQDN

Mick_Ball — Wed, 11 Dec 2019 17:24:26 GMT

sorry i meant auth sequence.

so just add a new portal for each company, this will require an IP address for each one though.

then add LDAP profile to each portal. each portal will then have its own gateway on same ip address.

you can still use auth sequence on a single portal as it will try every ldap server until succesful.

also... ldap failed auth will not loch an account. you do not need to add domain info for this.

Re: Multiple URL Global Protect Multiple FQDN

aleksandar.astardzhiev — Mon, 16 Dec 2019 11:28:12 GMT

Hi @Mick_Ball,

Actually he (@ChrisGapske) need to have users typing domain along their username.

As you pointed out Authentication Sequence will try to authenticate a user from top to bottom. This could be a problem if you have exact same usernames in multiple domains.

Starting from 8.1 (or even 8.0 not sure exactly) authentication sequence have option to use the typed domain to determine which profile to use from the list and jump straight to it, instead of going top to bottom.

Use domain to determine authentication profile Select this option (selected by default) if you want the firewall to match the domain name that a user enters during login with the User Domain or Kerberos Realm of an authentication profile associated with the sequence and then use that profile to authenticate the user. The user input that the firewall uses for matching can be the text preceding the username (with a backslash separator) or the text following the username (with a @ separator). If the firewall does not find a match, it tries the authentication profiles in the sequence in top-to-bottom order.

https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-web-interface-help/device/device-authentication-sequence.html

Re: Multiple URL Global Protect Multiple FQDN

Mick_Ball — Mon, 16 Dec 2019 11:39:34 GMT

yes of course but i think @ChrisGapske was hoping not to have the users adding the domain to the username.

perhaps if users exist on both domains the would have different passwords so authentication sequence would work.

if the passwords for both users were the same then why would that matter... they would still logon.