Multiple GlobalProtect Portals and Gateways

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.
Community Team Member

2020-11-03_12-27-18.jpg

 

Let's talk about GlobalProtect and whether or not it's possible to have multiple portals and gateways.

 

Short answer: Yes, it is possible. Thank you! Like and subscribe.😉

 

Joking aside, let's dig a little deeper into this topic.

 

First, let me go over the different components. What's the difference between the portal and gateway exactly?

 

GlobalProtect Portal

The GlobalProtect portal provides the management functions for your GlobalProtect infrastructure. Every endpoint that participates in the GlobalProtect network receives configuration information from the portal, including information about available gateways as well as any client certificates that may be required to connect to the GlobalProtect gateway(s). In addition, the portal controls the behavior and distribution of the GlobalProtect app software to both macOS and Windows endpoints. (On mobile endpoints, the GlobalProtect app is distributed through the Apple App Store for iOS endpoints, Google Play for Android endpoints and Chromebooks, and the Microsoft Store for Windows 10 UWP endpoints.) If you are using the Host Information Profile (HIP) feature, the portal also defines what information to collect from the host, including any custom information you require. You can Set Up Access to the GlobalProtect Portal on an interface on any Palo Alto Networks next-generation firewall.

 

GlobalProtect Gateway

GlobalProtect gateways provide security enforcement for traffic from GlobalProtect apps. Additionally, if the HIP feature is enabled, the gateway generates a HIP report from the raw host data the apps submit and can use this information in policy enforcement. You can configure different Types of Gateways to provide security enforcement and/or virtual private network (VPN) access for your remote users, or to apply security policy for access to internal resources. You can Configure a GlobalProtect Gateway on an interface on any Palo Alto Networks next-generation firewall. You can run both a gateway and a portal on the same firewall, or you can have multiple distributed gateways throughout your enterprise. OK, so now that you know about the different components, let's talk about what's required to have multiple portals/gateways. Those of you who've been working with our products a while might recall that additional licensing used to be required when you wanted to configure multiple portals. That's no longer the case. By default, you can deploy GlobalProtect portals and gateways without a license. 

 

Note: Some advanced features still require a GlobalProtect license ( annual subscription). 

 

This license must be installed on each firewall running a gateway(s) that:

 
  • performs HIP checks
  • supports the GlobalProtect app for mobile endpoints
  • supports the GlobalProtect app for Linux endpoints
  • provides IPv6 connections

There are a few more features that require the GlobalProtect license.  You'll find the complete matrix on the About GlobalProtect Licenses page.

 

Having multiple portals enables end users to manage their deployments more efficiently, as they can switch between different portals without having to re-enter the portal address each time they want to connect. When a user launches the app, the most recently connected portal is pre-selected from the portal drop-down on the GlobalProtect status panel (default). To connect to a different portal, the user can select another portal from the portal drop-down. To add, delete, or modify a portal, the user can select Manage Portals from the portal drop-down as illustrated below.

 
selection.jpg

 

 

When a user connects to the portal and is authenticated by the portal, the portal sends the agent configuration to the app, based on the settings you define. If you have different roles for users or groups that need specific configurations, you can create a separate agent configuration for each user type or user group. The portal uses the OS of the endpoint and the username or group name to determine which agent configuration to deploy. As with other security rule evaluations, the portal starts to search for a match at the top of the list. When it finds a match, the portal sends the configuration to the app.

 
 

The configuration can include the following:

 

  • A list of gateways to which the endpoint can connect.
     
  • Among the external gateways, any gateway that the user can manually select for the session as illustrated below:
 

 
2020-11-03_15-56-24.jpg

 

Check Define the GlobalProtect Agent Configurations for a complete list of configurable agent options.

 

If a GlobalProtect portal agent configuration contains more than one gateway, the app attempts to communicate with all gateways listed in its agent configuration. The app uses the priority and response time to determine the gateway to which to connect. See how Gateway Priority in a Multiple Gateway Configuration is decided.

 

Having multiple gateways can be a strategic decision. Enabling secure access for your mobile workforce no matter where they are located, you can deploy additional Palo Alto Networks next-generation firewalls and configure them as GlobalProtect gateways:

 

 

GlobalProtect Multiple Gateway TopologyGlobalProtect Multiple Gateway Topology

 

 

 

The illustration above shows a GlobalProtect Multiple Gateway topology use-case. Check out GlobalProtect Multiple Gateway Configuration for a step-by-step configuration!!

 

Even with all the documentation that's readily available about multiple portals/gateways, users still might have questions on the topic.  Below are some of the more popular discussions on the topic:

 

Join the discussions, share your knowledge, ask your questions !

 

Thanks for taking time to read this blog.
Don't forget to Like (thumbs up) and subscribe to the LIVEcommunity Blog area.

 

Kiwi out!

 
7 Comments
Cyber Elite
Cyber Elite

Just a heads-up that the Windows 10 UWP agent is a "mobile" client, so requires a license, the regular installer does not.

 

 

 

L0 Member

Hi, firstly thanks for the info.

Can we have multiple portals associated to the same exact interface (same ipv4 address)?. Of course using different URLs to differenciate each portal. For example it is useful if you have only one ipv4 public ip address and you need to segregate services for whatever reason.

L0 Member

 I would also be intrested to find out if this possible.

L1 Bithead

We are doing this, except while both trusted networks are on different campuses, they are also connected via a direct link. We have multi-ISPs at both sites with PAs. Both PAs are participating in OSPF for internal traffic, and to route VPN to LAN traffic. The portal is on the PA at the side with more available bandwidth, with a gateway on both PAs allowing VPN traffic. We set the GlobaProtect agents to "Best Available", so that with OSPF means one campus could lose internet and the users at either end wouldn't even know. Love it.

L1 Bithead

Quick question, is it possible to run Globalprotect on an interface that is also used to terminate a site to site VPN?

L0 Member

Is multiple portals & switching supported in Linux client?

L0 Member

For multiple gateway and single portal. Just confused as to what certificate to use.

 

We have a public cert we use in portal and selected that in ssl/tls service profile. 

Created a CA in firewall where the portal is configured, created certificates for the gateways signed by the CA and imported it to the gateways. Should I use that imported self signed CA in the tls/service profile of the firewall with just the gateway configured?  If so, it will be different from the tls service profile on the firewall with Portal configured. will that work? i'm confused in this part. 

  • 45564 Views
  • 7 comments
  • 9 Likes
Register or Sign-in
Labels