https://live.paloaltonetworks.com/t5/general-topics/global-protect-firewall-behavior-after-reaching-max-users/m-p/310631#M80443 <P>Great explanation <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/9981">@Mick_Ball</a>&nbsp;. Thank you so much for your help.&nbsp;</P> Tue, 11 Feb 2020 17:24:11 GMT SuryaR 2020-02-11T17:24:11Z https://live.paloaltonetworks.com/t5/general-topics/global-protect-firewall-behavior-after-reaching-max-users/m-p/310408#M80376 <P>Hello Community,</P><P>&nbsp;</P><P>Looking for more details on firewall behavior after reaching max-users limit on Global protect.</P><P>&nbsp;</P><P>For example, Assume a portal with 4 gateways in different regions. If one of the gateway(Lets assume PA-3020) which has capacity of 1024 concurrent connections, reached its maximum limit.&nbsp; what will happen if user 1025 tries to reach 3020 during latency calculations.</P><P>Will GP client receive a response to TLS/SSL negotiation or will it not respond to the request.&nbsp;</P><P>&nbsp;</P><P>Looking for details. Tried to find more details but no luck. Any help is appreciated.</P> Mon, 10 Feb 2020 17:31:53 GMT https://live.paloaltonetworks.com/t5/general-topics/global-protect-firewall-behavior-after-reaching-max-users/m-p/310408#M80376 SuryaR 2020-02-10T17:31:53Z https://live.paloaltonetworks.com/t5/general-topics/global-protect-firewall-behavior-after-reaching-max-users/m-p/310417#M80377 <P>the ssl handshake still takes place and the gateway is still given the same priority, so if the user tries to connect then the below happens and the next gateway in the priority is used.</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="1024.jpg" style="width: 839px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/23884iA8982130E4DB507F/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="1024.jpg" alt="1024.jpg" /></span></P> Mon, 10 Feb 2020 17:47:31 GMT https://live.paloaltonetworks.com/t5/general-topics/global-protect-firewall-behavior-after-reaching-max-users/m-p/310417#M80377 Mick_Ball 2020-02-10T17:47:31Z https://live.paloaltonetworks.com/t5/general-topics/global-protect-firewall-behavior-after-reaching-max-users/m-p/310419#M80379 <P>Great. Thank you for quick response.&nbsp;</P><P>&nbsp;</P><P>Couple of questions.&nbsp;</P><P>If user-authentication is transparently happening(lets assume certs are being used), then users will not see "authentication failed" message and move forward with associating to next gateway. ?</P><P>If gateways are doing second factor (token for example), then would that 1025th user, who reaches an already maxed-out gateway, see an option to enter 2fa-token (or) not.?</P><P>If yes, and 2FA-input is provided, will the user then see an "authentication failed" message from the maxed-out gateway and then GP-client will move on to next gateway.?&nbsp;</P><P>&nbsp;</P><P>Please let me know if I am not clear.</P><P>&nbsp;</P><P>Thanks Again.&nbsp;</P><P>-Surya</P> Mon, 10 Feb 2020 18:25:48 GMT https://live.paloaltonetworks.com/t5/general-topics/global-protect-firewall-behavior-after-reaching-max-users/m-p/310419#M80379 SuryaR 2020-02-10T18:25:48Z https://live.paloaltonetworks.com/t5/general-topics/global-protect-firewall-behavior-after-reaching-max-users/m-p/310521#M80400 <P>Yes you are correct regarding certificate auth. &nbsp;As user has no input.</P><P>this will be the same for 2fa to the portal with authentication override cookies to the gateways.</P><P>&nbsp;</P><P>I’m not sure regarding 2fa to the gateway as we don't use it but going by the system logs i would guess that the auth will be accepted but then the gateway will fail as above it’s limit, the user would then be asked to re auth to next gateway.</P><P>&nbsp;</P><P>if any of our devices max out i will test this theory but it may be a while and somebody else may have the answer.</P><P>&nbsp;</P><P>i cannot understand why a gateway would offer itself as available when over its limit. Perhaps that needs to be requested or perhaps they should be monitored better to prevent such an event. We use PRTG and API’s for this but setting gateway priorities is still done manually.</P><P>&nbsp;</P> Tue, 11 Feb 2020 05:30:11 GMT https://live.paloaltonetworks.com/t5/general-topics/global-protect-firewall-behavior-after-reaching-max-users/m-p/310521#M80400 Mick_Ball 2020-02-11T05:30:11Z https://live.paloaltonetworks.com/t5/general-topics/global-protect-firewall-behavior-after-reaching-max-users/m-p/310631#M80443 <P>Great explanation <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/9981">@Mick_Ball</a>&nbsp;. Thank you so much for your help.&nbsp;</P> Tue, 11 Feb 2020 17:24:11 GMT https://live.paloaltonetworks.com/t5/general-topics/global-protect-firewall-behavior-after-reaching-max-users/m-p/310631#M80443 SuryaR 2020-02-11T17:24:11Z