02-28-2025 05:37 PM - edited 02-28-2025 05:38 PM
On our PA-1410 under Network - GlobalProtect - Portals - each of our portals (one on each interface for each ISP) - Agent - Agent Config - External Gateway I added gp2.domain.com to go along with gp.domain.com.
I was thinking (hoping) that would update the GlobalProtect client to add the gp2.domain.com to the GlobalProtect client as a failover just in case gp.domain.com was not reachable. Don't care about load balancing the GP clients, just adding a level of redundancy to the client side.
I don't think I am doing this right and figure there is another way to add a failover portal. Where should I be adding that? Or do I need to do something with the client on each machine?
Thanks for any pointers!
03-01-2025 11:08 AM - edited 03-01-2025 11:10 AM
You create only 1 portal.
Run it on DMZ interface (2x ISP IPs natted to that DMZ IP tcp/80, tcp/443 and udp/4501).
If your users are ok to add https:// manually in front of the portal to access portal address then 80 is not needed. Otherwise Palo will automatically redirect 80 to 443.
Set up 2 A records pointing to 2 different ISP IPs (so DNS resolution gives back 2 IPs for same portal).
Agent picks one of those IPs randomly to connect to portal.
For gateways you set up 2 separate DNS records
vpn-isp1.company.com
vpn-isp2.company.com
Run gateway on same DMZ portal natting public IPs to DMZ IP.
Portal config hands out 2 gateways to agents.
Agents perform latency test and connect through ISP that is closer by.
03-03-2025 08:19 AM
Appreciate the answer. I have inherited this set up, so all that configuration sounds a bit daunting! Is there anything I can do with the current setup to get the client to add another gateway? Maybe just add another DNS entry externally?
03-03-2025 08:41 AM
Gateways can be added under:
Network > GlobalProtect > Portals > Portal-Name > Agent > Agent-config-name > External
03-03-2025 12:42 PM
Thank you. I will give that a shot and see how it goes.
03-04-2025 01:16 PM
I run two portals, each on its own ISP interface and routing tables, with multiple Gateways as well. That way you can have different config options on different Portals/Gateways and redirect clients to one or the other based on demand. It also allows you to have test Portals/Gateways for new configs without disturbing active clients.
03-04-2025 03:28 PM
I added the additional external portals on the PA-1410 but not seeing it on the client. Unless I am not looking in the right place....
If I go to settings in GP, I see just a single portal listed.
Should I just have 2x A entries in DNS for gp.domain.com instead?
03-04-2025 04:18 PM
You need to add the second portal from the GP client on the PC. Click the GP client in the taskbar to open, click the menu icon in the upper-right corner and select "Settings", under the Connections section - Manage Portals and click the plus icon to add another Portal. Then you will be able to select the second Portal from the GP client Portal dropdown. You can also push these from a GPO/startup settings, but its a bit of a pain after the fact.
Or you could do dual Portal A records and use a single name. Both Portals will need a security certificate with the hostname matching the A record.
03-05-2025 08:18 AM
This solution adds additional "Change Gateway" droppdown.
If it is not visible it means your agent has not refreshed config from portal yet.
Click on hamburger menu in GlobalProtect agent (3 lines top right) and choose "Refresh Connection" to force config sync from portal to agent.
Adding second portal is more cumbersome to the user but can be done from agent itself if needed.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
