Looking to set up multiple data center redundancy for GlobalProtect and I'm unsure if Palo Alto would support a global load balancer (GLB) for the solution. We have global load balancer DNS servers that detect the status of our DC internet connections and will remove the IP's from the DNS entry if an ISP is down. The TTL on the DNS entries is 10s so it happens fast. We have 2 data centers. The primary data center has 2 Internet connections with a local load balancer handling the ISP redundancy. The second data center has a similar setup but only a single ISP for now. My thought is to create a DNS entry for vpn.company.com that is load balanced to the portal service across both DCs (and essentially all 3 ISPs). Once the client connects to the portal, it returns two gateways. It will return vpn1.company.com and vpn2.company.com. The vpn1 entry would be another load balanced DNS entry which points to both ISPs at the primary DC. The vpn2 entry would point to the secondary DC's ISP.
I believe I would need 3 DNS names and 3 certificates to make this work. The vpn.company.com certificate would be installed on both DC's Palo's and bound to the Portal service. The vpn1 and vpn2 certificates would be bound to their respective DC.
We already use vpn1.company.com to load balance across the primary DC's ISPs and it works great. I think this is literally just load balancing the portal.
Would this be a supported solution with GlobalProtect? I believe this gives me both portal and gateway redundancy.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!