Global protect high availability

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Global protect high availability

L1 Bithead

Hi Techie,

 

Am deploying global protect in 4 different region, based on regions they will be getting connected to appropriate portal.

 

if the appropriate location portal is down then they have to come to DC portal, how do i achieve it ?

 

FYI, Am using prelogon based authentication and i have machine certificate verification for the identity check of endpoint. so now what are all my consideration inorder to achieve gloobal protect redunancy

1 accepted solution

Accepted Solutions

hi @KPSaravanan

 

do not set up regional portals, you only need a single portal (if you do opt for regional portals, your users will need to do everything manually)

 

what you most likely need is regional gateways (not the same as portals) 

 

if you do opt to use 4 different fqdn (or their respective IP) then autodiscovery will always poll all 4, and determine which one is most responsive (responsiveness is measured by the speed with which ssl handshake is completed, not ping time) 

so users in region 1 could set up connections to regions 2 and 3 because region 1 is 'slow' for some reason, this would require you to have full mesh config

 

if you set all 4 portals to the same fqdn and only provide local dns to the local IP, as soon as the local gateway is unreachable you will be able to have 1 lower priority backup, being the DC. in this scenario you would not need full mesh

 

 

if you do mean to use 4 portals, you can have 4 different configurations where only the local portal is listed and DC is available as backup, but this will require you to keep 4 separate configurations updated

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

View solution in original post

7 REPLIES 7

L7 Applicator

this is a bit confusing, how are you using portals with regions, or do you mean gateways?

Cyber Elite
Cyber Elite

you only need 1 single portal

 

you could set your 4 regional gateways to use the same FQDN and then ensure each region only resolves the local IP, if then the local gateway goes down, only the DC gateway will remain accessible (set it to a lower priority than the regional gw)

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

what if i have 4 different FQDN and i want to reach if regional portal is down then which ever is the accesable based on the auto discovery, basically we want to perform full mesh accross all 4 portal ?


@reaperwrote:

you only need 1 single portal

 

you could set your 4 regional gateways to use the same FQDN and then ensure each region only resolves the local IP, if then the local gateway goes down, only the DC gateway will remain accessible (set it to a lower priority than the regional gw)


 

hi @KPSaravanan

 

do not set up regional portals, you only need a single portal (if you do opt for regional portals, your users will need to do everything manually)

 

what you most likely need is regional gateways (not the same as portals) 

 

if you do opt to use 4 different fqdn (or their respective IP) then autodiscovery will always poll all 4, and determine which one is most responsive (responsiveness is measured by the speed with which ssl handshake is completed, not ping time) 

so users in region 1 could set up connections to regions 2 and 3 because region 1 is 'slow' for some reason, this would require you to have full mesh config

 

if you set all 4 portals to the same fqdn and only provide local dns to the local IP, as soon as the local gateway is unreachable you will be able to have 1 lower priority backup, being the DC. in this scenario you would not need full mesh

 

 

if you do mean to use 4 portals, you can have 4 different configurations where only the local portal is listed and DC is available as backup, but this will require you to keep 4 separate configurations updated

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

just to confuse things a bit more as still not sure what you are trying to achieve here...

and i have no idea what a DC gateways is...

 

However...

 

since version 4.0.3 regions take priority over "priority".

 

so..

 

you could set 4  gateways with regions and priority low. and DC gateway with region and priority high.

 

so... if your gateway region is not available, then it would use DC gateway because this is set to high, and also in this version, low and lower are not used (rgardless of handshake) if high or highest is available..

 

 

thanks for the detailed solution,am ok with you full mesh solution, so correct me if my path is right

 

i have 4 different isp in different location, 4 different public ip and url.

 

can you share me the deployement scenario guide to achieve this configuration and consideration.

 

i have some silly doudt like 

 

do i need to use same ip pool accross different location or different ip pool is ok ?

gateway URL and portal URL needs to be different or same ?


@reaperwrote:

hi @KPSaravanan

 

do not set up regional portals, you only need a single portal (if you do opt for regional portals, your users will need to do everything manually)

 

what you most likely need is regional gateways (not the same as portals) 

 

if you do opt to use 4 different fqdn (or their respective IP) then autodiscovery will always poll all 4, and determine which one is most responsive (responsiveness is measured by the speed with which ssl handshake is completed, not ping time) 

so users in region 1 could set up connections to regions 2 and 3 because region 1 is 'slow' for some reason, this would require you to have full mesh config

 

if you set all 4 portals to the same fqdn and only provide local dns to the local IP, as soon as the local gateway is unreachable you will be able to have 1 lower priority backup, being the DC. in this scenario you would not need full mesh

 

 

if you do mean to use 4 portals, you can have 4 different configurations where only the local portal is listed and DC is available as backup, but this will require you to keep 4 separate configurations updated


 

different IP pools are preferred (this helps routing from the main site)

different url for portal and gateway are preferrd (as you have 4 gateways and only 1 portal)

 

check out @Mick_Ball's solution as that will help set 'priority' for the gateways differently from my proposal (i was not aware this was possible, we all learn new things)

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization
  • 1 accepted solution
  • 6066 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!