GP and Multiple Gateways

Reply
Highlighted
L1 Bithead

GP and Multiple Gateways

I get from the documentation that GP client can automatically detect the best GP Gateway to connect to via response times.

Does anyone know the exact process the GP client uses to connect to a deployment with multiple gateways.

In this case we have on GP Portal and Gateway on the same FW on the east coast, and have a second Gateway on the West coast.

We are finding that East coast users sometimes connect to the West coast GW and other times to East coast GW.

How can we configure this so GP Clients located in the east will always connect to East coast GW (when its operational) and thatGP clients located on the west coast will connect to the West coast GW (when operational)?

thanks

L5 Sessionator

Re: GP and Multiple Gateways

Gp Gateway selection process is mentioned in page 30,39 and Page 48 of the following doc:- https://live.paloaltonetworks.com/docs/DOC-2020

L1 Bithead

Re: GP and Multiple Gateways

Thanks. read thru the document.   Good high level overview.
Looking for details and specifics.    thanks again for taking the time to respond.  Will keep searching for technical details on this.

L2 Linker

Re: GP and Multiple Gateways

Best way to see how the gateway choice is made is to look in the PanGPS log on the client (in the GlobalProtect directory - enable debug mode in advanced settings in the client) - we have a multi-gateway setup & find that there's little difference in response times between our London & Amsterdam gateways so users get connected to one or the other fairly randomly.

If you are using authentication against AD you can setup groups for your EastCoast & WestCoast people, then use those groups in your GP Portal config (Client Config) to give lower priority to the gateway you want them to use by default. I have an AD group for the few London users that must have a London connection & then a client config for that group only which has a priority of 1 for the London Gateway & priority of 5 for Amsterdam. That seems to be enough to get them to connect to London unless its down completely for update or something of that nature, in which case they fail over to Amsterdam GW. Users who are not a member of that group are picked up by a second client config rule which has the same gateways but with no differences in the priorities.

Helps ?

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!