easiest way to move users to 2nd gateway for maintenance on 1st

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

easiest way to move users to 2nd gateway for maintenance on 1st

L3 Networker

We have an Azure implementation of Palo Alto/GlobalProtect.

We use an Azure LoadBalancer point to 2 Palo Alto firewalls for GP portal connectivity.

Then based on the received config we send the user to the direct interface address of one of the 2 firewalls for gateway connectivity.

No HA, no failover. 

What would be the easiest way to have users connect only or migrate to the 2nd gateway ?

I know i can change portal configuration but that does not immediately move users to the second.

Also i can not set the portal/gateway in "maintenance".

How do you guys solve handle this ?

5 REPLIES 5

Cyber Elite
Cyber Elite

The easiest way is simply shutting the gateway down

GlobalProtect will automatically fail over to the other gateway

 

Alternatively if there is time to prepare you could set the config refresh time very short and when the day comes just remove one gateway and wait for the config refresh to force everyone over

 

 

Tom Piens
PANgurus - (co)managed services and consultancy

Hi, 

 

shutting down is breaking a users connectivity so not the cleanest option in my opinion.

The second, set the config refresh time... When connected to a gateway and the config changes, will the gateway switch ?

Or only at connection setup ?

I just set the gateway tunnel to max user 1, this allows existing connections to carry on but new connections will be denied and forced to next gateway.

 

we have about 8k user base so upsetting 1 user is a low percentage.  you can be really clever and set the timeout to 20 days, connect yourself and stop GP service, then reduce timeout back to normal so you will be the last connected...   prob not worth the hassle though for 1 user, especially if it's someone you can't bear...    Djagetme......

Setting the gateway to max 1, when will existing users be connected to the other gateway? 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!