03-29-2018 01:34 AM
Hello there 🙂
Following situation has evolved on our company network and I'm not 100% sure it's the best solution. As system engineers we use the GlobalProtect to login to work and do our things.
The setup:
ISP1 ----active/active---- ISP
|
PA3050 ----active/passive---- PA3050
Very straightforward. Two ISP's, using PBF for routing certain traffic left or right. Currently, we have set up two GP Gateways. On each ISP interface one. This works fine. However, I started reading after the fact and found that most people use 2 internet A-records to direct traffic. E.g. gp1.company.com and gp2.company.com. Probably due to the fact that this works better in the GP Agent.
We did it a little different. We have two IP's on 1 A-record. So it will probably be whichever-comes-first in DNS resolution. The question now, how does the GP agent handles this when for example 1 GW is down? Does it automatically cycle to the next IP address provided in the A-record? Or do I still need to change the configuration to multiple A-record setups?
Cheers and thanks in advance!
03-29-2018 01:53 AM
I'm gonna take a guess here and say that on one of the GW's is down then half of your users will fail to connect.
if they then try to connect again then there is a 50% chance it will fail again.
the DNS is round robin, it will only offer one of the two addresses. It does not offer both and let the client choose which one to use.
i would definately advise 2 gateway addresses but that will require an additional license.
03-29-2018 01:59 AM
There actually two Gateways configured and also two portals. I think I can agree with you that DNS will only return one IP, so if one ISP is down and you get that IP address returned it will probably fail to connect. Could be worth giving a try by changing on of the GP Gateway IP's to something non-existent I think?
TL;DR
How does the GP Agent handle this set up?
03-29-2018 02:04 AM
ok but cant see the issue of having two A records... have i missed something here...
also, we have multiple records for all of our gateways as required for GP load balancing, perhaps this will also explain others preference.
this of course will not apply to you as all on the same PA.
03-29-2018 02:07 AM
TL;DR
How does the GP Agent handle this set up?
dont get what you mean.....
03-29-2018 02:20 AM
Well, the GP Agent does a lookup for gp.company.com and gets back 1 IP addres, let's x.y.z. But suppose that ISP is down, so it will fail, right? But our gp.company.com also has IP address a.b.c. (which is configured on a different portal, but ok). Is the GP Agent so smart it will automatically try and connect to other IP's from the same a-record? E.g. gp.company.com
03-29-2018 03:30 AM - edited 03-29-2018 03:34 AM
that will not work, but if the user tries to reconnect then it may get the correct address.
here is what you could do...
1 portal with 3 gateways.
the 3 gateways will have different names, gw1,gw2,gw3 but all point to the same A record.
the client will try to resolve all gateways and at least one of them will be on the second address in your A record.
and at least one of them will complete the ssl handshake.
i have tested this with different priorities on each gateway... results below..
(T5248) 03/29/18 11:22:43:895 Debug( 756): wlapaip6.vpn.test.co.uk 209ms
(T5248) 03/29/18 11:22:43:895 Debug( 756): wlapaip6.vpn.test.co.uk 62ms
(T5248) 03/29/18 11:22:43:895 Debug( 756): wlapaip6.vpn.test.co.uk 109ms
03-29-2018 04:46 AM
I will try that. It looks like it could work in a way that we want. Thank you very much and I"ll report back if I get it working.
04-15-2018 11:40 PM
Coming back to this, I didn't have much time to spent on this.
Anyway, how do I configure this?
In the GP config I can only select one interface, but I have, of course, configured 2 different ISP's?
In the Agent config I can assign two gateways, but I don't see the use for that since both FQDN's are the same?
How should I go about configuring this setup?
04-16-2018 01:02 AM - edited 04-16-2018 01:08 AM
ok so i will assume you are trying to use round robin...
you will need to create 2 portals, 1 for each ISP.
so if one of your ISP interfaces becomes unavailable the users device will fail to connect to the portal but use the previously cached version.
then, on each portals, heve 3 different names for the gateways but copy the gateway FQDN 3 times.
I know this seems daft but the GP client will try to handshake the same gateway 3 times and you should get both ISP results back, unless of course your device caches the DNS result but you will need to test this. the ip address of the handshake attempt will be in the client logs.
i'm clutching at straws here as i would not use RR for GP..... just have 2 different FQDN's.
04-16-2018 01:14 AM
Hmm, i was just trying this to send you a print screen and it's not letting me replicate gateway FQDN like it did last time...
It may be a version thing, i will have a play
04-16-2018 01:21 AM
to confirm...
multiple gateways with same FQDN cannot be done on 7.1.15 but it can be done on 8.08.
i have no idea what other versions can do what but i have a feeling it's a V8 thing.
04-16-2018 03:51 AM
Ah! This would definitely be an issue than. My current Prod firewall is 7.1.8...
I'll try and replicate this on my V8 test setup. Thanks very much!
I'd like to keep the setup as simple as possible, so I just want 1 FQDN for connecting the GP Agent to the network. For now it's only in use for us sysadmins, but we may decide to allow user access later on.
04-16-2018 04:46 AM
V7.x, well if only sysadmin for now then you could have 1 portal and 1 gateway and add single ip entry in hosts file,
04-16-2018 05:35 AM
We got very stable ISP's for now, so I guess it's all fine and dandy, but we still need access when one ISP is down, of course. We still need to update Prod anyway.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
