02-03-2021 01:07 AM
Hi All,
We have been experiencing some odd behavior with our Global Protect Client VPN and I wanted to better understand what our design should look like and if we had conflict somewhere.
Our organisation currently uses Azure Traffic Manager to distribute requests for vpn.organisation.com to geographically separated Palo Alto Gateways (based on a priority setting in azure rather than geo).
We have 3 external gateways configured:
External Gateway 1 - europe-vpn.organisation.com
External Gateway 2 - australia1-vpn.organisation.com
External Gateway 3 - australia2-vpn.organisation.com
I have been investigating the each of the 3 external gateways configuration and noticed the following:
GlobalProtect Portal Configuration --> Agent --> Configs
Each site appears to have 2 x external gateways configured, for example:
External Gateway 1
europe-vpn.organisation.com
vpn.organisation.com
External Gateway 2
australia1-vpn.organisation.com
vpn.organisation.com
External Gateway 3
australia2-vpn.organisation.com
vpn.organisation.com
Ultimately my question is as follows:
Will using Azure Traffic Manager along with each External gateway having the configuration as described above, cause a conflict in the way that the gateways operate?
I suspect that the individual external gateways 1/2/3 are using their own selection criteria and conflicting with what Azure Traffic Manager is doing.
From some positive testing results, it looks like the external gateways 1/2/3 only need to have themselves configured so that the Azure Traffic Manager can do what it's supposed to do.
Thanks in advance for any advice, if I haven't explained clearly enough, please let me know.
11-11-2021 09:49 AM
Hi David,
Did you manage to resolve the issue? I have the same situation.
11-14-2021 06:37 PM
Hey mate,
Yes we did actually. It turns out that using ATM was not the issue. For each of our external Gateways, we only ended up specifying itself as a gateway. As far as I know that means they aren't aware of the other External Gateways in our environment allowing ATM to handle the decision making effectively.
When a client hits "vpn.organisation.com" in Azure Traffic Manager, it redirects the request to the relevant External Gateway (europe-vpn.organisation.com, australia1-vpn.organisation.com or australia2-vpn.organisation.com) based on our selection criteria. We haven't had any issues with this so far and fail-over has been tested.
I think when I posted this query I was having issues with the GP Client "Stealing Focus" and trying to find Gateways whilst on a corporate network..... That side of the issue was solved by enabling "Internal Host Detection". That enables the GP Client to figure out its on a corp/internal network and chill out.
Hope this helps.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
