Multiple Global Protect gateways on same firewall

Reply
L2 Linker

Multiple Global Protect gateways on same firewall

I have a PA-3020 that will have two ISP connections. Primary ISP interface will be used for the Global Protect Portal and Primary Gateway using tunnel.1. Is it possible to have a second gateway using tunnel.2 on the same firewall using the secondary ISP interface? 

 

Also, if the Portal is only on the primary ISP interface and that connection is down making the Portal unreachable, will the GP Client still connect to the secondary Gateway?

Highlighted
L7 Applicator

Re: Multiple Global Protect gateways on same firewall

Yes you can have multiple gateways.

Just run it on interface of diferent isp connection.

Clients should cache gateway information they get from portal so even if portal is down they try to connect to gateways they have in their cache.

Enterprise Architect @ Cloud Carib www.cloudcarib.com
ACE (3.0, 5.0, 6.0, 7.0), PCNSE (6, 7), PCNSI
L7 Applicator

Re: Multiple Global Protect gateways on same firewall

I know I have used the following to help me out in the past. It should be possible, but its gonna task some whiteboarding to making it work properly.

 

https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-a-Palo-Alto-Networks-Fi...

 

Hope this helps...

L2 Linker

Re: Multiple Global Protect gateways on same firewall

I was going to use PBF rules to manage the traffic. Would it be better to have two VRs to handle each ISP routing table?

L7 Applicator

Re: Multiple Global Protect gateways on same firewall

You can use just one, especially if you are using dynamic routing such as OSPF (I have had issues with this in the past without using physical interfaces. There are documents out there that show how to do this with one VR.

L2 Linker

Re: Multiple Global Protect gateways on same firewall

I ended up using two virtual routers and it was fine. The ISPs are set up as active/passive so the second gateway is used when the primary gateway is down.

 

 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!