Multiple URL Global Protect Multiple FQDN

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Multiple URL Global Protect Multiple FQDN

L1 Bithead

We would like to use multiple URL's to access our Palo with Multiple LDAP authentication.

 

portal.company1.com 

LDAP1

 

portal.company2.com

LDAP2

 

portal.company3.com

LDAP3

 

We could also do like 

 

C1.company.com

LDAP1

C2company.com

LDAP2

C3company.com

LDAP3

 

Can anybody guide me to a solution so far support has not been super helpfull. 

 

Another is portal.company 

 

with authentication sequence but that requires more work for the users. 

 

I am a little new to Palo could use help . 

10 REPLIES 10

L1 Bithead

I'm looking to do something similar. I have 2 Palo's both with a GP gateways setup and I'm thinking of using DNS roundrobin to hit either one of them using a single Portal URL company.domain. 

 

Not sure if this is the best way to do it or not. But basically i want clients to only have to configure 1 Portal URL on the client and then hit either one of my palo's.

 

 

You really want to do multiple gateways then ?  This is sorta the other way around. 

Yes since I have 2 egress points in my network, each one with a Palo. In case of fail over or an outage at one location, i want my users to hit the other Palo and still have access to the network. I was hoping to achieve this by using a DNS entry with 2 ips pointing to each one of my Gateways. which would have the same name of course.

 

It's mainly going to be used during maintenance windows/outages really. Either Palo can handle all my VPN connections individually but i'm trying to give the highest VPN availability i can. 

You can do that too. When you use the gateway it allows for that as well as mulitple ip addresses and the client will do the work from there but ... The timeout might be a factor IDk 

@ChrisGapske 

could you explain why you need seperate ldap auths for each company.  

 

could you not just set an authentication order for all your ldap profiles and the user will auth to the correct one.  

 

@athalman 

this will work as a good RR solution but load balancing will not be guaranteed, do you not have a "Gateway" license.

Even though we own each company we want them to have that feel. 

Each company has its own AD. 

 

I could possibly set an authentication order but than they have to login with like username@ADdomain.local 

 

Also many times we have the same username at both companys. 

 

thanks @Mick_Ball I'm going to test it this Friday evening. I'll let you all know if it works out or not!

 

Thanks

sorry i meant auth sequence.

 

so just add a new portal for each company, this will require an IP address for each one though.

then add LDAP profile to each portal. each portal will then have its own gateway on same ip address.

 

you can still use auth sequence on a single portal as it will try every ldap server until succesful.

also... ldap failed auth will not loch an account. you do not need to add domain info for this.

 

 

Hi @Mick_Ball,

 

Actually he (@ChrisGapske) need to have users typing domain along their username.

As you pointed out Authentication Sequence will try to authenticate a user from top to bottom. This could be a problem if you have exact same usernames in multiple domains.

 

Starting from 8.1 (or even 8.0 not sure exactly) authentication sequence have option to use the typed domain to determine which profile to use from the list and jump straight to it, instead of going top to bottom.

 

Use domain to determine authentication profile
	
Select this option (selected by default) if you want the firewall to match the domain name that a user enters during login with the User Domain
or Kerberos Realm
of an authentication profile associated with the sequence and then use that profile to authenticate the user. The user input that the firewall uses for matching can be the text preceding the username (with a backslash separator) or the text following the username (with a @ separator). If the firewall does not find a match, it tries the authentication profiles in the sequence in top-to-bottom order.

 https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-web-interface-help/device/device-authentication-...

 

 

yes of course but i think @ChrisGapske was hoping not to have the users adding the domain to the username.

 

perhaps if users exist on both domains the would have different passwords so authentication sequence would work.

 

if the passwords for both users were the same then why would that matter...   they would still logon.

  • 7375 Views
  • 10 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!