This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Multiple global protect portals and gateway

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Multiple global protect portals and gateway

Matteo
L1 Bithead

‎03-17-2020 12:45 PM - edited ‎03-22-2020 03:03 PM

Hello, 

we have 2 palo 850 with 2 isp:

primary 1.1.1.1/28 

backup  2.2.2.2/28

most of the zones navigate with the primary and few with the backup

We have a failover to the backup in case the primary isp goes down.

We have globalprotect portal and gateway with a loopback interface all on the primary (1.1.1.5/32)  vpn.domain.it

This days we are all smartworking because of the global pandemie ,conected via the global protect client .

Our concern is that if the primary isp goes down we have to suspend our smartworking because we can not connect anymore .I read the discussions and documentation on multiple isp globalprotect configuration faillover and all talk about configuring 2 VR and i must say that they are too complicated for my level of knowledge and i don't want to mess up the actual working configuration. 

In order to solve the problem i tryed to clone the portal gateway and loopback on the backup isp(2.2.2.5/32)vpn2.domain.it, but it doesn't work. I see the requests in allow but aged-out. Where am i wrong? Is it possible to have a seccond globalprotect vpn gateway?

 

 

1 person had this problem.
3 REPLIES 3

Matteo
L1 Bithead

‎03-18-2020 06:13 PM

So after hours  of tests i ended up with this problem. I configured and test The solution of using 2 virtual router( i can connect with Globalprotect client) but i have The problem that alll routes are on The first VR so i cant  reach my lan. I backend up and restore The configurații with one router but în this case it has 2 0.0.0.0/0 routes for each ISP controlled by metric so i think it only works when The primary ISP goes down. I Reed somethig about dynamic routing and ospf but i cant understand how to make it work.

0 Likes Likes

PaulStein
L0 Member
In response to Matteo

‎06-02-2020 01:21 PM

Just pass the traffic from one vr to the other.  IE Subnet x.x.x.x/xx is on VR1.  You just have to be sure to pass the traffic back to the other VR for the return.

0 Likes Likes

jdelio
L7 Applicator
In response to PaulStein

‎03-04-2021 01:42 PM

Just to let everyone know that a Blog has been written about this subject here:

https://live.paloaltonetworks.com/t5/blogs/multiple-globalprotect-portals-and-gateways/ba-p/360452

 

Please be sure to check it out.

LIVEcommunity team member
Stay Secure,
Joe
Don't forget to Like items if a post is helpful to you!
0 Likes Likes
  • 7779 Views
  • 3 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks