10-25-2025 12:14 AM
Hello,
As per the PA document -
GlobalProtect uses a network discovery method to select the best available gateway from the available multiple gateway options. GlobalProtect attempts to communicate with all the gateways and uses criteria such as gateway priority, load, and response time from the gateway to determine the best available gateway to connect.
Can someone clarify which load is checked—endpoint load (CPU, etc.) or gateway firewall load (CPU, utilization, etc.)?
10-31-2025 08:59 AM
Hi @VivekMs ,
The goal is to prevent a client from connecting to a gateway that is already near its maximum concurrent tunnel limit or is under heavy processing strain.
The most critical metrics typically considered include:
Session Capacity/Utilization: The percentage of its licensed VPN tunnel capacity that the gateway is currently using (e.g., if it has a max of 2,000 tunnels and is currently handling 1,800, its load is high).
System Health: While not strictly "load," the gateway's overall health and ability to respond to requests are factored in, often via response time. High CPU or session utilization on the firewall's data or control plane can lead to a longer response time, which is the primary and most measurable factor.
Hope this helps,
-Kim.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
