Global protect - external gateway blocking?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Global protect - external gateway blocking?

In the global protect gateway settings where you can select the priority by region does the firewall block connections from any regions that are not included there?

 

this is the article discussing the feature I’m referring to:

 https://docs.paloaltonetworks.com/pan-os/8-0/pan-os-new-features/globalprotect-features/external-gat...

4 REPLIES 4

I believe I found my own answer. It looks like if you select a regions here then a user will need to be located in one of these regions to use that gateway. Can anyone confirm I’m understanding this correctly? 

 

https://docs.paloaltonetworks.com/pan-os/8-0/pan-os-web-interface-help/globalprotect/network-globalp...

@brian.fitzpatrick22,

You are looking at two very different options. 

There is the agent config on the portal that you reference in your first link, and this is where you would want to ensure that you actually have a config to match the source region a user is destined from if you choose to limit it by region. So if we look at an example:

Capture.PNG

Now if I made the agent-config like this it will only match an address within the US and Canada. If this was the only agent-config that I had configured, an end user in Mexico for example wouldn't be able to connect because they wouldn't have a valid agent config. If they attempted to connect the connection would be terminated and they would be presented with an error stating no agent configuration was found. 

 

Now when you start talking about gateway priority things change a bit. Here I might specify that my USA gateway is rated the highest priority for people in the US, but only a High priority if they are in Canada. Although for the Canadian gateway I would switch this so that it's the highest priority portal for users in Canada, but only high priority for users in the US. This would direct all my US agents to utilize the US gateway, while the Canadian agents use the Canadian gateway. If for some reason my Canadian gateway was down then all agents would switch to the US gateway and vise-versa. This configuration also wouldn't stop someone from say Mexico connecting to the gateways as long as they were allowed within the security rulebase and they had a valid agent configuration. This is simply setting priority of which external gateway the agent should utilize depending on their source address. 

Capture.PNG

Sorry to bump an old thread but we were toubleshooting same issue. Had a user in Mexico trying to connect to our US gateway, and if the gateway priority was set to only USA as the only priority it did not work.

Community Team Member

Hi @micahstewart ,

 

Could you elaborate a bit on where it fails exactly and how it was set up ?

Did you also configure a restriction on source address as per BPry's first scenario, at which point it would be expected behavior or did you just configure a gateway priority ?

 

If you only configured a GW priority without any source address restrictions then I would check the logs.

 

Kind regards,

-Kiwi.

 

 
LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.
  • 5790 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!