This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Multiple GlobalProtect Gateways on same interface?

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Multiple GlobalProtect Gateways on same interface?

welly_59
L3 Networker

‎10-10-2018 02:26 AM

We recently (today) configured pre-logon VPN, but have come across what could be a show stopper. As its currently configured we have configured:

 

Gateway > (gateway name) > Authentication > Certificate Profile > (a client cert signed by our infrastructure)

 

If a machine has this cert installed it now succesfully connects via "pre-logon", and once signed into Windows it all works as expected.

 

If a machine doesnt have this cert installed then "pre-logon" does not work, but additionally they are unable to sign in once in Windows as they are presented with an error stating cert is missing.

 

Is this how it should be configured or have i missed a step somewhere?

 

The issue is we have a requirement for some non-domain users/assets to be able to connect to the VPN. As it stands with the way i have configured pre-logon they cant connect, as the cert is missing.

 

What is the correct way to resolve this and keep pre-logon?

 

I was thinking to create a second gateway, on the same interface as the current one, but assign a secondary IP to the interface. I would more or less copy the config from the existing gateway, but not assign a certificate profile to it.

 

The portal agent config for these external users would then be configured to use the newly created gateway. 

 

Is this how to solve this problem?

3 REPLIES 3

Brandon_Wertz
L6 Presenter

‎10-10-2018 05:58 AM

@welly_59 wrote:

 

What is the correct way to resolve this and keep pre-logon?

 

I was thinking to create a second gateway, on the same interface as the current one, but assign a secondary IP to the interface. I would more or less copy the config from the existing gateway, but not assign a certificate profile to it.

 

The portal agent config for these external users would then be configured to use the newly created gateway. 

 

Is this how to solve this problem?

 

This should work.  This is what I was thinking as well.

0 Likes Likes

BPry
Cyber Elite
Cyber Elite
In response to Brandon_Wertz

‎10-10-2018 06:40 AM

@welly_59,

As @Brandon_Wertz mentioned this would work perfectly fine and accomplish exactly what you are looking to do without issue. 

0 Likes Likes

welly_59
L3 Networker
In response to BPry

‎10-10-2018 06:50 AM

Excellent news. While waiting for an answer here though ihave succesfuly configured it using a loopback interface on the FW (public IP on it, we have loads), and it all works

0 Likes Likes
  • 5016 Views
  • 3 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks