This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew

Adding PA DR site globalprotect SSL-VPN gateway

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Adding PA DR site globalprotect SSL-VPN gateway

MRamadanAHafiez
L4 Transporter

‎11-05-2025 11:55 PM - edited ‎11-05-2025 11:56 PM

Hello Team,

              Currently we are duscussing adding a DR site for our network.

currently in the main datacenter we have globalprotect SSL-VPN configured.

and now we are about to add a new PA-1410 in the DR site, and also configuring the Gateway for our employees.

now we will have 2 portal IPs, the main and the DR one.

Is there a way to make it automatic switching between the clients installed globalprotect to switch from the main site IP and connect to the DR globalprotect IP in case the main site was not responding "DR site active now". and vice versa, to connect to the main GP IP when it respored back running?.

TIA

MR
0 Likes Likes
3 REPLIES 3

reaper
Cyber Elite
Cyber Elite

‎11-06-2025 12:59 AM - edited ‎11-06-2025 01:01 AM

you don't need to add a portal component to the DR site necessarily. Clients will retain their configuration if the portal is down so they'll be able to connect to the DR gateway if the main gateway is down.

You can set up the main gateway with highest priority and the DR site gateway with lowest priority so clients only connect to the DR when the primary is unavailable

 

if you want to be able to run a portal on the DR; you can configure it to be an exact copy of the main portal and change the DNS A record in case of extended outage

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization
0 Likes Likes

MRamadanAHafiez
L4 Transporter
In response to reaper

‎11-06-2025 05:52 AM - edited ‎11-06-2025 05:57 AM

then the idea is configuring the main site "the currently working now with the current fqdn and IP x.x.x.x" and configuring the DR site with fully configured portal but for sure with another fqdn and IP y.y.y.y address and add both to the globalprotect at the client, and in case of main site failure "totally unreachable", then it will automatically connect to the lower priority portal "DR".

if I got ur point right, how to configure this priority in the panos? 

--------------------------Adding-------------------

I have found the option to change the priority now, but it seems that this is portal config option, not option that will affect the client performnce "choosing the higher priority then failing to the DR if not available.

MR
0 Likes Likes

reaper
Cyber Elite
Cyber Elite
In response to MRamadanAHafiez

‎11-14-2025 05:14 AM

no, that is not how portals in GlobalProtect work unfortunately, each portal is considered a standalone entity. only gateways can be set up to have preference

 

reaper_0-1763126041919.png

 

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization
  • 306 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2025 - Palo Alto Networks