We have multiple gateways in our environment. Our default agent profile has always on configured. Users are balanced across the gateways.
We have a troubleshooting profile that gives users the option to disconnect and choose to try and switch to a different gateway.
My question is that I would like to configure a profile that is always on but gives the user the option to switch gateways but does not give the option to disable/disconnect from VPN.
Is this possible? If so how?
The reason for this is if users get on to a gateway that doesn't work well for them for what ever reason, they are hitting refresh multiple times until they eventually get to a gateway that works better for them geographically.
Configuration: 'Allow user to disconnect GlobalProtect App (Always-on mode)'
This is currently set to Disallow.
The Troubleshooting profile has this set to 'allow with comments'
The ability to choose the gateway seems to be a side effect of allowing it to be disabled.
I don't want to allow disconnect, however, I do want to allow the option shown below to choose a gateway, but I do not see that as an option in the list of configuration items in this area of the config.
Images while connected to the troubleshooting profile:
This is what the normal user agent profile looks like. The Gateway selection is not shown, nor is the disable option:
Hi @StephenGilder ,
If you want the user to manually select a gateway, you change the Network > GlobalProtect > Portals > [edit portal] > Agent > [edit config] > External > [edit gateway] > Priority > Manual only.
You can combine Manual-only with Always On but GP will not connect until the user selects a gateway. https://docs.paloaltonetworks.com/globalprotect/9-1/globalprotect-admin/globalprotect-quick-configs/....
I am curious if that combination allows the user to switch gateways after they connect. Would you mind testing?
I think you might be on to something! Looking at the existing troubleshooting profile, the manual box is checked for all of the gateways. I was not aware of the setting:
I've cloned the default profile that most users hit and have put just my login on there.
I've now added that manual check box to all the gateways and looks like that did achieve the goal of giving the option to choose manually with out giving the option to disconnect.
I will have to do some more testing to confirm whether or not it truly does stay always on, but I think it will since we have pre-login connections enabled.
Yes. The VPN comes on automatically when the computer boots up and I login and once connected to what ever gateway gets picked based on priority, I am able to hit the drop down and choose a different gateway to connect to.
Works exactly like what I was looking to do.
Thank You very much for pointing me in the right direction!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!