- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
03-19-2018 05:09 AM
Hi Techie,
Am deploying global protect in 4 different region, based on regions they will be getting connected to appropriate portal.
if the appropriate location portal is down then they have to come to DC portal, how do i achieve it ?
FYI, Am using prelogon based authentication and i have machine certificate verification for the identity check of endpoint. so now what are all my consideration inorder to achieve gloobal protect redunancy
03-19-2018 06:40 AM
hi @KPSaravanan
do not set up regional portals, you only need a single portal (if you do opt for regional portals, your users will need to do everything manually)
what you most likely need is regional gateways (not the same as portals)
if you do opt to use 4 different fqdn (or their respective IP) then autodiscovery will always poll all 4, and determine which one is most responsive (responsiveness is measured by the speed with which ssl handshake is completed, not ping time)
so users in region 1 could set up connections to regions 2 and 3 because region 1 is 'slow' for some reason, this would require you to have full mesh config
if you set all 4 portals to the same fqdn and only provide local dns to the local IP, as soon as the local gateway is unreachable you will be able to have 1 lower priority backup, being the DC. in this scenario you would not need full mesh
if you do mean to use 4 portals, you can have 4 different configurations where only the local portal is listed and DC is available as backup, but this will require you to keep 4 separate configurations updated
03-19-2018 05:20 AM
this is a bit confusing, how are you using portals with regions, or do you mean gateways?
03-19-2018 06:03 AM
you only need 1 single portal
you could set your 4 regional gateways to use the same FQDN and then ensure each region only resolves the local IP, if then the local gateway goes down, only the DC gateway will remain accessible (set it to a lower priority than the regional gw)
03-19-2018 06:21 AM
what if i have 4 different FQDN and i want to reach if regional portal is down then which ever is the accesable based on the auto discovery, basically we want to perform full mesh accross all 4 portal ?
@reaperwrote:you only need 1 single portal
you could set your 4 regional gateways to use the same FQDN and then ensure each region only resolves the local IP, if then the local gateway goes down, only the DC gateway will remain accessible (set it to a lower priority than the regional gw)
03-19-2018 06:40 AM
hi @KPSaravanan
do not set up regional portals, you only need a single portal (if you do opt for regional portals, your users will need to do everything manually)
what you most likely need is regional gateways (not the same as portals)
if you do opt to use 4 different fqdn (or their respective IP) then autodiscovery will always poll all 4, and determine which one is most responsive (responsiveness is measured by the speed with which ssl handshake is completed, not ping time)
so users in region 1 could set up connections to regions 2 and 3 because region 1 is 'slow' for some reason, this would require you to have full mesh config
if you set all 4 portals to the same fqdn and only provide local dns to the local IP, as soon as the local gateway is unreachable you will be able to have 1 lower priority backup, being the DC. in this scenario you would not need full mesh
if you do mean to use 4 portals, you can have 4 different configurations where only the local portal is listed and DC is available as backup, but this will require you to keep 4 separate configurations updated
03-19-2018 07:43 AM
just to confuse things a bit more as still not sure what you are trying to achieve here...
and i have no idea what a DC gateways is...
However...
since version 4.0.3 regions take priority over "priority".
so..
you could set 4 gateways with regions and priority low. and DC gateway with region and priority high.
so... if your gateway region is not available, then it would use DC gateway because this is set to high, and also in this version, low and lower are not used (rgardless of handshake) if high or highest is available..
03-20-2018 08:01 AM
thanks for the detailed solution,am ok with you full mesh solution, so correct me if my path is right
i have 4 different isp in different location, 4 different public ip and url.
can you share me the deployement scenario guide to achieve this configuration and consideration.
i have some silly doudt like
do i need to use same ip pool accross different location or different ip pool is ok ?
gateway URL and portal URL needs to be different or same ?
@reaperwrote:hi @KPSaravanan
do not set up regional portals, you only need a single portal (if you do opt for regional portals, your users will need to do everything manually)
what you most likely need is regional gateways (not the same as portals)
if you do opt to use 4 different fqdn (or their respective IP) then autodiscovery will always poll all 4, and determine which one is most responsive (responsiveness is measured by the speed with which ssl handshake is completed, not ping time)
so users in region 1 could set up connections to regions 2 and 3 because region 1 is 'slow' for some reason, this would require you to have full mesh config
if you set all 4 portals to the same fqdn and only provide local dns to the local IP, as soon as the local gateway is unreachable you will be able to have 1 lower priority backup, being the DC. in this scenario you would not need full mesh
if you do mean to use 4 portals, you can have 4 different configurations where only the local portal is listed and DC is available as backup, but this will require you to keep 4 separate configurations updated
03-20-2018 08:23 AM
different IP pools are preferred (this helps routing from the main site)
different url for portal and gateway are preferrd (as you have 4 gateways and only 1 portal)
check out @Mick_Ball's solution as that will help set 'priority' for the gateways differently from my proposal (i was not aware this was possible, we all learn new things)
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!