Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Global Protect Pre-logon load balancing across 2 separate PA5020s

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Global Protect Pre-logon load balancing across 2 separate PA5020s

HI, We currently have DNS round robin configured for our on-demand GP connections across 2 separate locations which host different PA5020 firewalls. We have a public A record pointing to both public firewall IPs and the clients then connect to either gateway location dependent on which IP they resolve at that time. this works fine for the on-demand connection method however I'm having issues using this approach for the pre-logon connection method. once the client has authenticated to one location it then appears to cache the gateway so every subsequent logon attempt forces the connection back to the gateway it has cached. i assume this is when it adds the portal value in the registry so on the windows logon it just uses the same portal address. 

is there a way to dynamically load balance this GP pre-logon connection. 

3 REPLIES 3

Cyber Elite
Cyber Elite

@Gurminder_Birdee,

Pre-logon, at least in my experience, has been pretty "sticky" when it comes to which portal it connects to due to that registry value. However this generally wouldn't be a big issue, because you would do the gateway selection at the portal level instead of doing the DNS round robin that you have configured at the moment. 

Hi @BPry  thanks for your response, the issue with carrying out gateway selection at the portal level is say for example that "Portal A" is unreachable due to internet issues, how can you re-direct users to connect to Gateway B ? we've overcome this issue by using DNS round robin for the on demand connection method as previously mentioned. 

L0 Member

Hello,

 

We are using an A-P pair of FWs and keep portal on them.

If one FWs fail then there's the other and if both FWs fail then there's the cached portal credentials.

 

Behind the portal sit several gateways.

 

Hope it helps!

  • 3919 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!