03-26-2021 05:47 AM
We have an Azure implementation of Palo Alto/GlobalProtect.
We use an Azure LoadBalancer point to 2 Palo Alto firewalls for GP portal connectivity.
Then based on the received config we send the user to the direct interface address of one of the 2 firewalls for gateway connectivity.
No HA, no failover.
What would be the easiest way to have users connect only or migrate to the 2nd gateway ?
I know i can change portal configuration but that does not immediately move users to the second.
Also i can not set the portal/gateway in "maintenance".
How do you guys solve handle this ?
03-26-2021 05:52 AM
The easiest way is simply shutting the gateway down
GlobalProtect will automatically fail over to the other gateway
Alternatively if there is time to prepare you could set the config refresh time very short and when the day comes just remove one gateway and wait for the config refresh to force everyone over
03-26-2021 05:57 AM
Hi,
shutting down is breaking a users connectivity so not the cleanest option in my opinion.
The second, set the config refresh time... When connected to a gateway and the config changes, will the gateway switch ?
Or only at connection setup ?
03-26-2021 10:19 AM
I just set the gateway tunnel to max user 1, this allows existing connections to carry on but new connections will be denied and forced to next gateway.
we have about 8k user base so upsetting 1 user is a low percentage. you can be really clever and set the timeout to 20 days, connect yourself and stop GP service, then reduce timeout back to normal so you will be the last connected... prob not worth the hassle though for 1 user, especially if it's someone you can't bear... Djagetme......
03-31-2021 12:48 AM
Setting the gateway to max 1, when will existing users be connected to the other gateway?
03-31-2021 01:34 AM
They will connect to the other gateway when they make a new connection, or of their existing connection times out or you manually log them off from the firewall.
i have tried a few of the other options and this has been the smoothest and least complicated for our setup. perhaps not for others...
removing the gateway from the agent will work as suggested by @reaper but for us with users "always on" it's quite surprising how many cannot connect to the portal on startup due to wifi or lan not ready and when GP then uses cached portal config for connection it still has the old gateway configured.
but of course,,, if you need to do this in an emergency then just shut the gateway down and leave the phone off the hook....
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
