Best way to load balance to ISP with Global Protect

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Best way to load balance to ISP with Global Protect

L1 Bithead

We have an active/passive 3020 and in from of them we have an A10 Load balancers. We want to change our current configuration so we can have a load balance between our two ISPs.

 

What is the best practice regarding the Palo Alto? Which would it be the best architecture in this case scenario?

 

Thank you.

7 REPLIES 7

L0 Member

Hi,

Do you currently have two ISP connections or Just One ?

Cyber Elite
Cyber Elite

@JUrenaG,

If you want to load balance GlobalProtect connections you'll need to configure a second VR so that you can use the secondary ISP connection for another gateway. Then in your portal configuration you'll need to load-balance your users through both gateways.

Is their any reason that you want to replace the A10 load-balancers and terminate directly on the firewall? 

Hello,

 

I currently have two ISP but I am using the public IP of just one for all my remote users

Hello @BPry ,

 

I do not want to replace my A10. My mistake if I did not explain myself in the best possible way.

 

We currently have Global Protect working but with just one public IP address. We are using our A10 for other services (web server, etc) but we are not using to balance our GP links.

 

We want to start using the public IP address of our second ISPs so we can balance the load between both path.

 

 

Hope I explained better.

Hello,

This is where it could get a bit messy. Are the A10's designed and setup to take in multiple sources and push then to 1 IP/client? This is typically reverse of what load balancers do. Then you have the DNS issue where your public DNS for your GlobalProtect clients has two IP entries, this is just DNS round robin, so technically no need for the A10's sine DNS is handling it and you only have 1 active PAN to service the clients.

 

Since we dont know the reasons behind this, its tough to advise. However I am a fan of the KIS model (keep it simple).

 

Regards,

Hi @OtakarKlier 

 

That's what I thought. it is reverse of what a load balancers usually do.

 

The reason behind this is because of the CoVID Pandemic, we have almost 80% of our users working from home and we want to prevent any saturation in one of our links by balancing the connections between the two Public IP Addresses that we have instead of one.

 

But as you mentioned, both connections would be received by the same firewall so the saturation would happen any way. Am I right?

 

Thank you

Hello,

I would look into splitting the traffic:

i.e. VPN traffic comes in over ISP A and regular web browsing traffic goes out ISP B, or something similar. 

 

However increasing bandwidth would be the easiest way to make sure you dont run out of bandwidth.

 

Cheers!

  • 6125 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!