Giving users the ability to select a different gateway

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Giving users the ability to select a different gateway

L1 Bithead

We have multiple gateways in our environment. Our default agent profile has always on configured. Users are balanced across the gateways.

We have a troubleshooting profile that gives users the option to disconnect and choose to try and switch to a different gateway.
My question is that I would like to configure a profile that is always on but gives the user the option to switch gateways but does not give the option to disable/disconnect from VPN.
Is this possible? If so how?


The reason for this is if users get on to a gateway that doesn't work well for them for what ever reason, they are hitting refresh multiple times until they eventually get to a gateway that works better for them geographically.

Network->Global Protect->Portals->Agent->App->
Configuration: 'Allow user to disconnect GlobalProtect App (Always-on mode)'
This is currently set to Disallow.
The Troubleshooting profile has this set to 'allow with comments'
The ability to choose the gateway seems to be a side effect of allowing it to be disabled.
I don't want to allow disconnect, however, I do want to allow the option shown below to choose a gateway, but I do not see that as an option in the list of configuration items in this area of the config.
Images while connected to the troubleshooting profile:

StephenGilder_0-1685048856353.png

 

StephenGilder_2-1685049001421.png

This is what the normal user agent profile looks like. The Gateway selection is not shown, nor is the disable option:

StephenGilder_3-1685049646305.png

 

1 accepted solution

Accepted Solutions

I looked a little closer at the link you provided. The 'Manual Only' you mentioned is for the Priority.(in blue)  However, what I found was a check box that lets the user manually select a gateway. That option appears to be the one I needed (In Yellow)

StephenGilder_3-1685054653129.png

 

View solution in original post

5 REPLIES 5

Cyber Elite
Cyber Elite

Hi @StephenGilder ,

 

If you want the user to manually select a gateway, you change the Network > GlobalProtect > Portals > [edit portal] > Agent > [edit config] > External > [edit gateway] > Priority > Manual only.

 

You can combine Manual-only with Always On but GP will not connect until the user selects a gateway.  https://docs.paloaltonetworks.com/globalprotect/9-1/globalprotect-admin/globalprotect-quick-configs/....

 

I am curious if that combination allows the user to switch gateways after they connect.  Would you mind testing?

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

I think you might be on to something! Looking at the existing troubleshooting profile, the manual box is checked for all of the gateways. I was not aware of the setting:

StephenGilder_0-1685052944859.png

I've cloned the default profile that most users hit and have put just my login on there.
I've now added that manual check box to all the gateways and looks like that did achieve the goal of giving the option to choose manually with out giving the option to disconnect.

StephenGilder_2-1685054251797.png

I will have to do some more testing to confirm whether or not it truly does stay always on, but I think it will since we have pre-login  connections enabled.

I looked a little closer at the link you provided. The 'Manual Only' you mentioned is for the Priority.(in blue)  However, what I found was a check box that lets the user manually select a gateway. That option appears to be the one I needed (In Yellow)

StephenGilder_3-1685054653129.png

 

Cyber Elite
Cyber Elite

Excellent!  Thank you for the clarification.

 

Are you able to switch gateways once connected?

Help the community: Like helpful comments and mark solutions.

Yes. The VPN comes on automatically when the computer boots up and I login and once connected to what ever gateway gets picked based on priority, I am able to hit the drop down and choose a different gateway to connect to.
Works exactly like what I was looking to do.
Thank You very much for pointing me in the right direction!

  • 1 accepted solution
  • 3510 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!