This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Giving users the ability to select a different gateway

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Giving users the ability to select a different gateway

Go to solution
StephenGilder
L1 Bithead

‎05-25-2023 02:22 PM

We have multiple gateways in our environment. Our default agent profile has always on configured. Users are balanced across the gateways.

We have a troubleshooting profile that gives users the option to disconnect and choose to try and switch to a different gateway.
My question is that I would like to configure a profile that is always on but gives the user the option to switch gateways but does not give the option to disable/disconnect from VPN.
Is this possible? If so how?


The reason for this is if users get on to a gateway that doesn't work well for them for what ever reason, they are hitting refresh multiple times until they eventually get to a gateway that works better for them geographically.

Network->Global Protect->Portals->Agent->App->
Configuration: 'Allow user to disconnect GlobalProtect App (Always-on mode)'
This is currently set to Disallow.
The Troubleshooting profile has this set to 'allow with comments'
The ability to choose the gateway seems to be a side effect of allowing it to be disabled.
I don't want to allow disconnect, however, I do want to allow the option shown below to choose a gateway, but I do not see that as an option in the list of configuration items in this area of the config.
Images while connected to the troubleshooting profile:

StephenGilder_0-1685048856353.png

 

StephenGilder_2-1685049001421.png

This is what the normal user agent profile looks like. The Gateway selection is not shown, nor is the disable option:

StephenGilder_3-1685049646305.png

 

0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
StephenGilder
L1 Bithead
In response to TomYoung

‎05-25-2023 03:44 PM

I looked a little closer at the link you provided. The 'Manual Only' you mentioned is for the Priority.(in blue)  However, what I found was a check box that lets the user manually select a gateway. That option appears to be the one I needed (In Yellow)

StephenGilder_3-1685054653129.png

 

View solution in original post

0 Likes Likes
5 REPLIES 5

Go to solution
TomYoung
Cyber Elite
Cyber Elite

‎05-25-2023 02:45 PM

Hi @StephenGilder ,

 

If you want the user to manually select a gateway, you change the Network > GlobalProtect > Portals > [edit portal] > Agent > [edit config] > External > [edit gateway] > Priority > Manual only.

 

You can combine Manual-only with Always On but GP will not connect until the user selects a gateway.  https://docs.paloaltonetworks.com/globalprotect/9-1/globalprotect-admin/globalprotect-quick-configs/....

 

I am curious if that combination allows the user to switch gateways after they connect.  Would you mind testing?

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.
0 Likes Likes

Go to solution
StephenGilder
L1 Bithead
In response to TomYoung

‎05-25-2023 03:39 PM

I think you might be on to something! Looking at the existing troubleshooting profile, the manual box is checked for all of the gateways. I was not aware of the setting:

StephenGilder_0-1685052944859.png

I've cloned the default profile that most users hit and have put just my login on there.
I've now added that manual check box to all the gateways and looks like that did achieve the goal of giving the option to choose manually with out giving the option to disconnect.

StephenGilder_2-1685054251797.png

I will have to do some more testing to confirm whether or not it truly does stay always on, but I think it will since we have pre-login  connections enabled.

0 Likes Likes

Go to solution
StephenGilder
L1 Bithead
In response to TomYoung

‎05-25-2023 03:44 PM

I looked a little closer at the link you provided. The 'Manual Only' you mentioned is for the Priority.(in blue)  However, what I found was a check box that lets the user manually select a gateway. That option appears to be the one I needed (In Yellow)

StephenGilder_3-1685054653129.png

 

0 Likes Likes

Go to solution
TomYoung
Cyber Elite
Cyber Elite

‎05-25-2023 03:55 PM

Excellent!  Thank you for the clarification.

 

Are you able to switch gateways once connected?

Help the community: Like helpful comments and mark solutions.
0 Likes Likes

Go to solution
StephenGilder
L1 Bithead
In response to TomYoung

‎05-25-2023 04:06 PM

Yes. The VPN comes on automatically when the computer boots up and I login and once connected to what ever gateway gets picked based on priority, I am able to hit the drop down and choose a different gateway to connect to.
Works exactly like what I was looking to do.
Thank You very much for pointing me in the right direction!

  • 1 accepted solution
  • 3344 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks