Multiple GlobalProtect gateways on same firewall- ASA to Palo migration
Showing results for 
Search instead for 
Did you mean: 

Multiple GlobalProtect gateways on same firewall- ASA to Palo migration

L0 Member

Hello there,


I am working on a migration- ASA to Palo. ASA has muliple remote access vpn's setup - all terminating on outside interface ip address. For example, a RA vpn for employees - authenticating against AD, another for contractors- user accounts created locally on ASA. The IP Pool is different in call instances.


Now, I want to create a like for like RA vpn setup on Palo. I understand I can use physical interface public ip address for my portal and 1st gateway.


Question: what about the second gateway? can it be created utilizing the same public ip address so that whether it's an employee or contractor- they all connect to the same public IP address- and depending on how they authenticate they get different access? I will need multiple gateways so as to define 1. first gateway- authenticate via AD, second via LOCAL accounts created on the firewall. Apologies, I am somewhat new to Palo Alto firewalls and this is my 1st projet.


L3 Networker

From the above description i understand that you only want to use multiple gateway so that you can have different authentication profile for different users


If  you have used one ip adderss as your gateway you  will not be able to call the same ip address again to create a gateway again.


# One solution for your requirement is to use Authentication Sequence.


# Call multiple auth profile in authentication sequence and call this auth sequen under your gateway( in place of auth profile )


some details for auth sequence 


In some environments, user accounts reside in multiple directories (for example, local database, LDAP, and RADIUS). An authentication sequence is a set of authentication profiles that the Palo Alto Networks device tries to use for authenticating users when they log in. The device tries the profiles sequentially from the top of the list to the bottom—applying the authentication, Kerberos single sign-on, allows list, and account lockout values for each—until one profile successfully authenticates the user. The device only denies access if all profiles in the sequence fail to authenticate. 


I hope this may fulfil you requirements 


Thank You



I think the best way to solve this problem would be to have multiple client configurations but only use 1 portal and 1 gateway.


I have grabbed a few screenshots of a simple configuration for you to take a look at below, you can control access based on users & groups in your policies.


gp portal config.pnggp gateway config.png

hope this helps,


Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!