GlobalProtect External Gateway Priority by Source Location
49683
Created On 09/25/18 19:02 PM - Last Modified 08/03/20 22:39 PM
Symptom
GlobalProtect can consider the source region of the connecting device when selecting the best gateway to connect to. For this feature, GlobalProtect client version 4.0 or later is required.
- GlobalProtect client tests gateway response time for each gateway before deciding which one to connect to.
- If the 'closest' gateway (gateway with the shortest network round-trip time) is momentarily busy, the GlobalProtect client may choose a more distant gateway to connect to.
- This choice of gateway may introduce unwanted delay and poor performance for some corporate applications (e.g., voice).
Environment
- PAN-OS 8.0
- GlobalProtect client 4.0
Resolution
Solution
- Consider the source region of the connecting device (GlobalProtect client) when determining the best gateway to connect to:
- Filter the list of available gateways based on client's region.
- Assign priority based on the connecting device's region to each eligible gateway and use this priority in the gateway selection process on the client.
Use cases include scenarios where...
- The IT team wants to enforce users from a given region to connect only to dedicated gateways from that region.
- The IT team rolls out an enterprise phone app to all its users, and for the best call experience, it wants to ensure that users get connected to regional gateways.
Feature description
- Pre-PAN-OS 8.0: GlobalProtect client receives a list of gateways, each gateway with a single priority, and performs the best gateway selection based on priorities and response times.
- Now with PAN-OS 8.0: GlobalProtect client receives a list of gateways, each gateway has multiple priorities, one per (configured) region.
- Also with PAN-OS 8.0: GlobalProtect client determines the region it connects from, and uses this information to determine which priority of each gateway to use. Some gateways may not be eligible for selection.
Gateway priorities
| Priority Value | Priority Name |
| 0 | Manual Only |
| 1 | Highest |
| 2 | High |
| 3 | Medium |
| 4 | Low |
| 5 | Lowest |
| 6 | None |
PAN-OS 7.1 XML code
gateways {
external {
list {
192.168.2.1 {
manual no;
priority 1;
}
}
}
}
PAN-OS 8.0 XML code
gateways {
external {
list {
ExtGW {
ip {
ipv4 192.168.2.1;
}
priority-rule {
US {
priority 1;
}
NL {
priority 6;
}
Any {
priority 5;
}
}
manual no;
}
}
}
}
Gateway selection
- During portal pre-login, the portal knows the client's IP address and returns the client's region in the pre-login response
- PanGPS.log:
(T3024) 09/22/16 14:23:40:441 Debug(4694): prelogin to portal result is <?xml version="1.0" encoding="UTF-8" ?> <prelogin-response> <status>Success</status> <ccusername></ccusername> <autosubmit>false</autosubmit> <msg></msg> <authentication-message>Enter login credentials</authentication-message> <panos-version>1</panos-version><region>NL</region> </prelogin-response>
- The client caches this information (region), in case the cached portal config should be used some time in the future.
- During portal GetConfig, the portal sends the list of gateways, with the corresponding pairs region:priority to the client.
- Client uses region info to filter and prioritize the list of gateways returned from the portal.
Limitations
- Identifying connecting device's region may not be reliable if connection to the portal goes via a proxy.
- Region determination may also be incorrect if the firewall performs source NAT on the traffic to the GlobalProtect portal.
- GlobalProtect client version 4.0 or later is required.
Compatibility considerations
- For backward compatibility, the portal sends two "sets" of parameters in the gateway configurations:
- one with the complete priority rules per region (used by 4.0 clients)
- one with a single priority per gateway (used by clients 3.1 and below)
- priority value is taken from the first rule
- If the feature is globally disabled, the portal does not send region information to the (4.0) client, and the client falls back to 3.1 behavior - ignores the priority rules.
GlobalProtect Portal Configuration - Agent config
GlobalProtect Portal Configuration
- For each region, a seperate priority can be assigned.
- There's a special region, 'Any' that matches any region not specifically configured. If there's no 'Any region configured, and the client connects from a region not configured in the priority rules, the gateway will not be considered in the gateway selection process on the client.
- If any of the priorities is set to 'Manual only,' then the Manual checkbox is automatically checked and greyed out.
External Gateway
Configuration (CLI)
This feature, enabled by default, can be globally disabled.
Disabling and enabling the feature:
admin@myNGFW> configure Entering configuration mode [edit] admin@myNGFW# set deviceconfig setting global-protect enable-external-gateway-priority no [edit] admin@myNGFW# set deviceconfig setting global-protect enable-external-gateway-priority yes
When disabled, the portal does not send region information to the clients.
Changes to system log
As the screenshot below indicates, the system log will indicate which source region was selected when you connect via GlobalProtect.
system log