Global Protect Architecture

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Global Protect Architecture

L3 Networker

Guys ,

Need some guidance here . One of our client with an MPLS network wants to build a GP network . They are looking at buying a portal for a PA 5050 and have GP gateway licenses for each local box . The issue is the local boxes wre on different networks . All the users will hit the portal and the portal will now send them to their local gateway for authentication and authorization . I think it is possible with service route config and AD authentication .

Any one have an idea on this ?

3 REPLIES 3

L5 Sessionator

I am not sure if I am understanding your question correct. As long as the your local gateways are routable from the clients you should be good.In your case it sounds like you might want to authenticate once to the portal from where you will be routed to your nearest gateway depending upon the preference and ttl wherein you would authenticate again using your local area specific auth profile.Secondly for licensing you might want to refer this following doc:-https://live.paloaltonetworks.com/docs/DOC-4768 which suggests that a portal license is required for multiple gateways.

Also refer this tech note:- https://live.paloaltonetworks.com/docs/DOC-2020

Hello,

Here is my question . You have a 5050 box with a portal license . It has an ip of 1.1.1.1 from the internet . Internally it has an ip of 10.10.10.1 . The internal is part of an mpls network made up of several independent networks running PAN boxes with GP licenses on them . Cust A has a 2020 with GP gateway license , Customer B has a 2050 . The goal is to have the 5050 portal license serve as the portal for all the PAN boxes with GP gateway licenses . The issue how will the Portal know which Gateway to forward the customer to . Say Cust A users connect to the 5050 portal , it needs to forward their ssl session to the 2020 , Cust B users need to be forwarded to the 2050 etc . That is what we need to figure out .

Also,

All the boxes are accessible on the MPLS network .

  • 2108 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!