Global Protect and two gateway

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Global Protect and two gateway

L4 Transporter

Hello

I have PA200 without licence for second GP Portal.

I did a second gateway because I thought that this should solve my problem.

I need to let access to some website to my users but with my IP address. Thease people has accounts on radius server. I did second gateway for them.

I have separate IP and SSL certyfiacate for this, separate config (different VPN network, tunnel interface, authentication profile).

But when I try to point to GP Client to use gateway2 as a portal it's complain about certificate. I know that I sould put there a portal url not gateway! - but how to tell to GP client to use second gateway?

On my first gateway are logging peopple that has accounts on ActiveDirectory or locally on PA device.

I thought of using only one gateway but then I will be unable to recognize users in security policies (create rules for users fro AD different that from Radius.)

sorry for my english ... but I hope that you undertand what I'm trying to do.

If I'm wrong - in which situation we are using more than one gateway?

With regards

Slawek

1 accepted solution

Accepted Solutions

"But when I try to point to GP Client to use gateway2 as a portal it's complain about certificate"

You can't do that.every client should connect to portal first.

you need a license for 2 gateways

without license you can only use

2portals each have one gateway

View solution in original post

7 REPLIES 7

L6 Presenter

you configured 2 portals and 2 gateway ?

I configured one portal and two gateways.

"But when I try to point to GP Client to use gateway2 as a portal it's complain about certificate"

You can't do that.every client should connect to portal first.

you need a license for 2 gateways

without license you can only use

2portals each have one gateway

L5 Sessionator

Good Morning Slawek,

For a multiple gateway scenario, ensure that you have the multiple gateway licenses. In addition to that, the GP users when connecting to the firewalls, would always first authenticate on the portal and then to the gateway. If the users have to be authenticated via Radius, create an authentication sequence that uses both the LDAP and the Radius and use this sequence under the portal authentication, so that if the users connecting to the gateway2, cannot be authenticated via LDAP, then they can fall back to the Radius Authentication.

Once they get authenticated, they next connect to the gateway. Ensure that you are using the same Radius server for authenticating when connecting to the Gateway.

We can connect to a gateway manually. See the below link that has a video explaining the same:

https://live.paloaltonetworks.com/videos/1275

hmm thats interesting why my PA200 dosn't complain about licences during commit proces (when I have one portal and two gateways)

That is because you are configuring Global protect gateway but inside Global Protect Portal defining 2 gateways will change the behaviour.you will get notification for license.

Thank you for all of you.

Now i have two portals and it's seems to be working.

I know that I can use authentication sequence but for second GP portal there must by Radius only auth.

Now I have to do NAT with special IP for second GP gateway. I did nat rule with filter for source adresses (second gateway has different network adresses than first) but I stuck with security policy.

Because both of my GP are in the same zone (on PA200 I have very limited amount of zones) I need to use filter for source addresses. Do I have other options? Can I select users authenticated by radius server? ( I can't see such option but maybe I'm wrong...).

My security polices:

2013-06-25_131832.png

and security policies

2013-06-25_131810.png

In this situation do I need "GP to internet" or "VPN NAT" is enought?

I put "GP blokada" right after allow policies because I need to limit access to internet only - is it correct?

Regards

SLawek

  • 1 accepted solution
  • 4583 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!