Dual GW on 1 firewall with 1 A-record

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Dual GW on 1 firewall with 1 A-record

L1 Bithead

Hello there 🙂

 

Following situation has evolved on our company network and I'm not 100% sure it's the best solution. As system engineers we use the GlobalProtect to login to work and do our things.

 

The setup:

 

           ISP1 ----active/active---- ISP

                                          |

PA3050 ----active/passive---- PA3050

 

Very straightforward. Two ISP's, using PBF for routing certain traffic left or right. Currently, we have set up two GP Gateways. On each ISP interface one. This works fine. However, I started reading after the fact and found that most people use 2 internet A-records to direct traffic. E.g. gp1.company.com and gp2.company.com. Probably due to the fact that this works better in the GP Agent.

 

We did it a little different. We have two IP's on 1 A-record. So it will probably be whichever-comes-first in DNS resolution. The question now, how does the GP agent handles this when for example 1 GW is down? Does it automatically cycle to the next IP  address provided in the A-record? Or do I still need to change the configuration to multiple A-record setups?

 

Cheers and thanks in advance!

14 REPLIES 14

L7 Applicator

I'm gonna take a guess here and say that on one of the GW's is down then half of your users will fail to connect.

if they then try to connect again then there is a 50% chance it will fail again.

 

the DNS is round robin, it will only offer one of the two addresses. It does not offer both and let the client choose which one to use.

 

i would definately advise 2 gateway addresses but that will require an additional license.

 

 

There actually two Gateways configured and also two portals. I think I can agree with you that DNS will only return one IP, so if one ISP is down and you get that IP address returned it will probably fail to connect. Could be worth giving a try by changing on of the GP Gateway IP's to something non-existent I think?

 

TL;DR

 

How does the GP Agent handle this set up?

 

 

 

 

ok but cant see the issue of having two A records...  have i missed something here...

 

also, we have multiple records for all of our gateways as required for GP load balancing, perhaps this will also explain others preference.

 

this of course will not apply to you as all on the same PA.

TL;DR

 

How does the GP Agent handle this set up?

 

dont get what you mean.....

Well, the GP Agent does a lookup for gp.company.com and gets back 1 IP addres, let's x.y.z. But suppose that ISP is down, so it will fail, right? But our gp.company.com also has IP address a.b.c. (which is configured on a different portal, but ok). Is the GP Agent so smart it will automatically try and connect to other IP's from the same a-record? E.g. gp.company.com

that will not work, but if the user tries to reconnect then it may get the correct address.

 

here is what you could do...

 

1 portal with 3 gateways.

 

the 3 gateways will have different names, gw1,gw2,gw3 but all point to the same A record.

 

the client will try to resolve all gateways and at least one of them will be on the second address in your A record.

and at least one of them will complete the ssl handshake.

 

i have tested this with different priorities on each gateway... results below..

 

(T5248) 03/29/18 11:22:43:895 Debug( 756): wlapaip6.vpn.test.co.uk   209ms
(T5248) 03/29/18 11:22:43:895 Debug( 756): wlapaip6.vpn.test.co.uk   62ms
(T5248) 03/29/18 11:22:43:895 Debug( 756): wlapaip6.vpn.test.co.uk  109ms

 

 

I will try that. It looks like it could work in a way that we want. Thank you very much and I"ll report back if I get it working.

Coming back to this, I didn't have much time to spent on this.

 

Anyway, how do I configure this?

 

In the GP config I can only select one interface, but I have, of course, configured 2 different ISP's?

 

pa01_gp_gw_config_01.PNG

 

In the Agent config I can assign two gateways, but I don't see the use for that since both FQDN's are the same?

 

pa01_gp_gw_config_02.PNG

 

 

How should I go about configuring this setup?

ok so i will assume you are trying to use round robin...

 

you will need to create 2 portals, 1 for each ISP.

 

so if one of your ISP interfaces becomes unavailable the users device will fail to connect to the portal but use the previously cached version.

 

then, on each portals, heve 3 different names for the gateways but copy the gateway FQDN 3 times.

 

I know this seems daft but the GP client will try to handshake the same gateway 3 times and you should get both ISP results back, unless of course your device caches the DNS result but you will need to test this. the ip address of the handshake attempt will be in the client logs.

 

i'm clutching at straws here as i would not use RR for GP..... just have 2 different FQDN's.

 

 

 

 

Hmm, i was just trying this to send you a print screen and it's not letting me replicate gateway FQDN like it did last time...

 

It may be a version thing, i will have a play

to confirm...

 

multiple gateways with same FQDN cannot be done on 7.1.15 but it can be done on 8.08.

 

i have no idea what other versions can do what but i have a feeling it's a V8 thing.

Ah! This would definitely be an issue than. My current Prod firewall is 7.1.8...

 

I'll try and replicate this on my V8 test setup. Thanks very much!

 

I'd like to keep the setup as simple as possible, so I just want 1 FQDN for connecting the GP Agent to the network. For now it's only in use for us sysadmins, but we may decide to allow user access later on.

V7.x, well if only sysadmin for now then you could have 1 portal and 1 gateway and add single ip entry in hosts file,

 

We got very stable ISP's for now, so I guess it's all fine and dandy, but we still need access when one ISP is down, of course. We still need to update Prod anyway.

  • 3778 Views
  • 14 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!