Global Protect Force Gateway Selection

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Global Protect Force Gateway Selection

L1 Bithead

I am trying to set up GlobalProtect and am having issues with client gateway selection.

 

I have a single portal and will have two gateways set up. One uses SAML auth (general users) and the other one uses DUO auth (for the IT dept).  Both are set to be on-demand.

 

I want all users to be presented with both gateways initially, and then clients will be able to set the preferred gateway themselves.  Currently, it's connecting to the portal but then automatically selecting the best gateway, which I don't want.

 

I've yet to find a concrete answer on how to set the option to force manual gateway selection within the firewall.

 

Running GlobalProtect v6.0.1-19 if that helps.

 

Thanks for any insights.

 

2 accepted solutions

Accepted Solutions

L6 Presenter

Have you selected "Manual" in the gateway config? Under the Portal config, Agent, External Gateways, there is a checkbox at the bottom of each gateway config - "Manual (The user can manually select this gateway)". This allows the end user to manually select that gateway as a preferred gateway.

 

After connecting with the GP client, the end user can manually select a preferred gateway. The next time the user connects the GP client, the client will try to connect to the preferred gateway first (if the portal config still allows). I don't know of anyway to force the client to manually choose a gateway when first connecting.

View solution in original post

@Adrian_Jensen I was able to fix it.  You were very close.  I had seen that checkbox with 'Manual (the user can manually select this gateway' and had checked it near the beginning of my troubleshooting. 

 

On that same window you specified in your post, you have to specify the 'Source Region' and once you select it, it adds that entry to the list.  Once it's been created, there is a dropdown box name 'Priority' and that's where you can change it.  You have options from 'Highest' to 'Lowest' and one option is 'Manual only'

 

I set it to Manual Only and now I'm prompted for it when connecting to the portal.  Not the most intuitive place, when the exact wording is included in another checkbox on the same page, but it is what it is.

 

Thanks again for your help.

View solution in original post

6 REPLIES 6

Cyber Elite
Cyber Elite

Hi @Brian_Shoemaker ,

 

It looks like you can do it -> https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PPUdCAO.  The client will need to set the preferred gateway prior to connecting.

 

That option does not show up on my GP client.  I assume it is because I only have 1 gateway configured.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

L1 Bithead

I've read that article and it exp how to set a preferred gateway in the client.  The problem is that the end users are never prompted to specify a Gateway of choice in the first place.  Once they authenticate to the portal, they aren't given an option.

It is set to allow users to select their Gateway On-Demand, but instead, it just connects directly to the first gateway.

 

This is from the article about setting a preferred gateway, but it's actually the behavior I want - to have them prompted each time.

  • Before this feature in place, if users need to connect to a specific gateway to access certain resources or connect from a particular geographical location, they must manually switch to that gateway each time they establish the GlobalProtect connection. With this enhancement, users can now automatically connect to a preferred gateway regardless of priority and response time.

L6 Presenter

Have you selected "Manual" in the gateway config? Under the Portal config, Agent, External Gateways, there is a checkbox at the bottom of each gateway config - "Manual (The user can manually select this gateway)". This allows the end user to manually select that gateway as a preferred gateway.

 

After connecting with the GP client, the end user can manually select a preferred gateway. The next time the user connects the GP client, the client will try to connect to the preferred gateway first (if the portal config still allows). I don't know of anyway to force the client to manually choose a gateway when first connecting.

@Adrian_Jensen I was able to fix it.  You were very close.  I had seen that checkbox with 'Manual (the user can manually select this gateway' and had checked it near the beginning of my troubleshooting. 

 

On that same window you specified in your post, you have to specify the 'Source Region' and once you select it, it adds that entry to the list.  Once it's been created, there is a dropdown box name 'Priority' and that's where you can change it.  You have options from 'Highest' to 'Lowest' and one option is 'Manual only'

 

I set it to Manual Only and now I'm prompted for it when connecting to the portal.  Not the most intuitive place, when the exact wording is included in another checkbox on the same page, but it is what it is.

 

Thanks again for your help.

L6 Presenter

Interesting. I had forgotten that there was a "Manual only" option was buried under the gateway Priority setting. And even so I would have expected it to only make it an option in the GP client (i.e. in On-Demand mode, etc.). So when any one gateway is set to "Manual only" it prompts you in Always-On mode? Or only when all gateways are set to manual?

L1 Bithead

Everything discussed here is within the Portal section (versus Gateway) of GlobalProtect.  It looks like it uses a client authentication for the initial portal authentication.  Then it chooses/loads the Agent configuration based upon user identification/authorization, leveraging local user db/LDAP Security Group/etc.

 

Whatever user group that user is a part of dictates which Agent config will load.  Within that Agent config for that particular group, it will list the gateways available to choose from and specify if the user can manually choose their gateway or if it will automatically select one. You can move the Agent configurations up or down in the list.

 

So you can choose which user identification it will use first, based on the first group match.  If I'm part of a VPN Users AD security group, but I am also a part of an IT Services group that has another gateway providing greater network access, I can move the IT Services to the top, so my authentication hits that match first and I get the IT Services gateway vs the VPN Users gateway, which would be a group that would have more limited access.

 

Here is a screenshot where I had to change Priority to Manual Only - even though On-Demand is checked at the bottom, the Priority supersedes that checkbox.  So unless both places are set to Manual it will automatically try to choose the highest priority gateway.

 

2022-07-27 12_50_44-SCASD-5250b.png

 

  • 2 accepted solutions
  • 10050 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!