GlobalProtect Client Issues with Multiple ISPs

Issue

GlobalProtect clients connect via one ISP, but traffic going back to the internet is routed via the other ISP.

Resolution

Topology

Firewall has two ISPs (Primary and Secondary). ISP A is connected on Ethernet 1/1 whereas ISB B is connected on Ethernet 1/2. The GlobalProtect Client is configured to connect on the Primary interface, Ethernet 1/1.

Details

The VPN client's IP address is from the primary ISP. The answer to this question is that when the packet arrives at the tunnel, the source NAT is done based on the NAT policy configured for the Primary ISP but the management plane will route the traffic through the VR static route (which is Ethernet 1/2, using its IP address), and it will use the Ethernet 1/1 public IP as a source IP. When the server on the internet receives the packet it will receive packet sourced from an IP address of Ethernet 1/1 and it will route packets accordingly, i.e. destined to Ethernet 1/1.

Resolution

Configure two virtual routers like this:

• VR1: Ethernet 1/1 (Primary ISP), tunnel.x (SSLVPN Zone)

• VR2: Ethernet 1/2 (Secondary ISP), Ethernet 1/3 (Trust Zone)

• Here is how the interfaces should look:

• Create a Policy Based Forwarding (PBF) route for VR2 to route the Trust Zone traffic to go through VR1 and have a default/Backup route to go through Ethernet 1/2, as shown below:

• VR1 will have a default route to go to the internet through Ethernet 1/1. GlobalProtect/SSL clients connect to the VR1 on tunnel.x, then the traffic is routed according to the default route configured on the VR1.

Note: Make sure to have a different zone for the tunnel interfaces so that they do not mix with the Trust zone on VR2.

• Add the security and NAT policies accordingly. The SSLVPN client traffic goes to the internet using the Primary ISP.

owner: kalavi