Best way to load balance to ISP with Global Protect

Reply
Highlighted
L1 Bithead

Best way to load balance to ISP with Global Protect

We have an active/passive 3020 and in from of them we have an A10 Load balancers. We want to change our current configuration so we can have a load balance between our two ISPs.

 

What is the best practice regarding the Palo Alto? Which would it be the best architecture in this case scenario?

 

Thank you.

Highlighted
L0 Member

Hi,

Do you currently have two ISP connections or Just One ?

Highlighted
Cyber Elite

@JUrenaG,

If you want to load balance GlobalProtect connections you'll need to configure a second VR so that you can use the secondary ISP connection for another gateway. Then in your portal configuration you'll need to load-balance your users through both gateways.

Is their any reason that you want to replace the A10 load-balancers and terminate directly on the firewall? 

Highlighted
L1 Bithead

Hello,

 

I currently have two ISP but I am using the public IP of just one for all my remote users

Highlighted
L1 Bithead

Hello @BPry ,

 

I do not want to replace my A10. My mistake if I did not explain myself in the best possible way.

 

We currently have Global Protect working but with just one public IP address. We are using our A10 for other services (web server, etc) but we are not using to balance our GP links.

 

We want to start using the public IP address of our second ISPs so we can balance the load between both path.

 

 

Hope I explained better.

Highlighted
Cyber Elite

Hello,

This is where it could get a bit messy. Are the A10's designed and setup to take in multiple sources and push then to 1 IP/client? This is typically reverse of what load balancers do. Then you have the DNS issue where your public DNS for your GlobalProtect clients has two IP entries, this is just DNS round robin, so technically no need for the A10's sine DNS is handling it and you only have 1 active PAN to service the clients.

 

Since we dont know the reasons behind this, its tough to advise. However I am a fan of the KIS model (keep it simple).

 

Regards,

Highlighted
L1 Bithead

Hi @OtakarKlier 

 

That's what I thought. it is reverse of what a load balancers usually do.

 

The reason behind this is because of the CoVID Pandemic, we have almost 80% of our users working from home and we want to prevent any saturation in one of our links by balancing the connections between the two Public IP Addresses that we have instead of one.

 

But as you mentioned, both connections would be received by the same firewall so the saturation would happen any way. Am I right?

 

Thank you

Highlighted
Cyber Elite

Hello,

I would look into splitting the traffic:

i.e. VPN traffic comes in over ISP A and regular web browsing traffic goes out ISP B, or something similar. 

 

However increasing bandwidth would be the easiest way to make sure you dont run out of bandwidth.

 

Cheers!

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!