06-24-2013 04:29 AM
Hello
I have PA200 without licence for second GP Portal.
I did a second gateway because I thought that this should solve my problem.
I need to let access to some website to my users but with my IP address. Thease people has accounts on radius server. I did second gateway for them.
I have separate IP and SSL certyfiacate for this, separate config (different VPN network, tunnel interface, authentication profile).
But when I try to point to GP Client to use gateway2 as a portal it's complain about certificate. I know that I sould put there a portal url not gateway! - but how to tell to GP client to use second gateway?
On my first gateway are logging peopple that has accounts on ActiveDirectory or locally on PA device.
I thought of using only one gateway but then I will be unable to recognize users in security policies (create rules for users fro AD different that from Radius.)
sorry for my english ... but I hope that you undertand what I'm trying to do.
If I'm wrong - in which situation we are using more than one gateway?
With regards
Slawek
06-24-2013 04:47 AM
"But when I try to point to GP Client to use gateway2 as a portal it's complain about certificate"
You can't do that.every client should connect to portal first.
you need a license for 2 gateways
without license you can only use
2portals each have one gateway
06-24-2013 04:34 AM
you configured 2 portals and 2 gateway ?
06-24-2013 04:43 AM
I configured one portal and two gateways.
06-24-2013 04:47 AM
"But when I try to point to GP Client to use gateway2 as a portal it's complain about certificate"
You can't do that.every client should connect to portal first.
you need a license for 2 gateways
without license you can only use
2portals each have one gateway
06-24-2013 06:52 AM
Good Morning Slawek,
For a multiple gateway scenario, ensure that you have the multiple gateway licenses. In addition to that, the GP users when connecting to the firewalls, would always first authenticate on the portal and then to the gateway. If the users have to be authenticated via Radius, create an authentication sequence that uses both the LDAP and the Radius and use this sequence under the portal authentication, so that if the users connecting to the gateway2, cannot be authenticated via LDAP, then they can fall back to the Radius Authentication.
Once they get authenticated, they next connect to the gateway. Ensure that you are using the same Radius server for authenticating when connecting to the Gateway.
We can connect to a gateway manually. See the below link that has a video explaining the same:
06-25-2013 03:32 AM
hmm thats interesting why my PA200 dosn't complain about licences during commit proces (when I have one portal and two gateways)
06-25-2013 03:50 AM
That is because you are configuring Global protect gateway but inside Global Protect Portal defining 2 gateways will change the behaviour.you will get notification for license.
06-25-2013 04:29 AM
Thank you for all of you.
Now i have two portals and it's seems to be working.
I know that I can use authentication sequence but for second GP portal there must by Radius only auth.
Now I have to do NAT with special IP for second GP gateway. I did nat rule with filter for source adresses (second gateway has different network adresses than first) but I stuck with security policy.
Because both of my GP are in the same zone (on PA200 I have very limited amount of zones) I need to use filter for source addresses. Do I have other options? Can I select users authenticated by radius server? ( I can't see such option but maybe I'm wrong...).
My security polices:
and security policies
In this situation do I need "GP to internet" or "VPN NAT" is enought?
I put "GP blokada" right after allow policies because I need to limit access to internet only - is it correct?
Regards
SLawek
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
