Global protect - external gateway blocking?

Reply
Highlighted

Global protect - external gateway blocking?

In the global protect gateway settings where you can select the priority by region does the firewall block connections from any regions that are not included there?

 

this is the article discussing the feature I’m referring to:

 https://docs.paloaltonetworks.com/pan-os/8-0/pan-os-new-features/globalprotect-features/external-gat...

Tags (1)
Highlighted

I believe I found my own answer. It looks like if you select a regions here then a user will need to be located in one of these regions to use that gateway. Can anyone confirm I’m understanding this correctly? 

 

https://docs.paloaltonetworks.com/pan-os/8-0/pan-os-web-interface-help/globalprotect/network-globalp...

Highlighted
Cyber Elite

@brian.fitzpatrick22,

You are looking at two very different options. 

There is the agent config on the portal that you reference in your first link, and this is where you would want to ensure that you actually have a config to match the source region a user is destined from if you choose to limit it by region. So if we look at an example:

Capture.PNG

Now if I made the agent-config like this it will only match an address within the US and Canada. If this was the only agent-config that I had configured, an end user in Mexico for example wouldn't be able to connect because they wouldn't have a valid agent config. If they attempted to connect the connection would be terminated and they would be presented with an error stating no agent configuration was found. 

 

Now when you start talking about gateway priority things change a bit. Here I might specify that my USA gateway is rated the highest priority for people in the US, but only a High priority if they are in Canada. Although for the Canadian gateway I would switch this so that it's the highest priority portal for users in Canada, but only high priority for users in the US. This would direct all my US agents to utilize the US gateway, while the Canadian agents use the Canadian gateway. If for some reason my Canadian gateway was down then all agents would switch to the US gateway and vise-versa. This configuration also wouldn't stop someone from say Mexico connecting to the gateways as long as they were allowed within the security rulebase and they had a valid agent configuration. This is simply setting priority of which external gateway the agent should utilize depending on their source address. 

Capture.PNG

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!