Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Global Protect Gateway Priority Question

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Global Protect Gateway Priority Question

L3 Networker

I see that gateway priority options are Highest, High, Medium, Low and Lowest. 

The articles I'm seeing on this property have mostly do with regions. But 
in my case I'm just trying to influence more traffic to another gateway. And

if that second gateway is not available say to having all of its licenses in 

use I then want to to choose another gateway. Would this be effected 

by having the preferred gateway with Highest priority and the spillover

gateway to have a High priority? Or would the spillover gateway have 

a Low priority? Insight appreciated.

1 accepted solution

Accepted Solutions

L6 Presenter

Theoretically yes, I think (but not sure) that having no connections left would count as a gateway error, the same as being unreachable. The GP client would try to connect to the Highest priority gateway, find that it can't connect, and then go to the High priority gateway to try and connect.

 

However... For the initial gateway selection with a small number of gateways with roughly equal latency, there are effectively only 2 selections that guaranty one gateway gets chosen over the other in non-error conditions: Highest/High/Medium or Low/Lowest. This is because of the way the selection algorithm works. The Highest/High/Medium gateways are all lumped together and a latency check to each is performed (assuming in the correct region). The average latency to all is calculated and those gateways over the average are temporarily excluded. The Highest/High/Medium priorities are then applied to the remaining gateways and connections attempted to each in order of priority. If none of the chosen initial gateways are reachable, then the excluded gateways and Low/Lowest are attempted in order of priority.

 

For example, if you have 2 gateways, one set to Highest and the second set to Medium, with roughly equal latency, then the first connection attempt is always whichever gateway has a lower latency at the moment (because the slightly higher latency gateway is greater than the average latency). In order to force the priority one has to be in the Highest/High/Medium group, and the second in the Low/Lowest group.

 

This can lead to some non-ideal or unexpected gateway connection ordering when dealing with gateways that have similar latency (where the difference between is mostly determined by measurement jitter).

 

Ideal gateway selection:

GatewayPriorityLatency 
gw1Highest50ms 
gw2High60ms 
gw3Medium75msinitially excluded
gw4Low100ms 
gw5Lowest150ms 

    Highest-Medium average latency = 62ms, Gateway connection order (gw1 -> gw2) -> (gw3 -> gw4 -> gw5)

 

Ideal 2 gateway selection:

GatewayPriorityLatency 
gw1Highest50ms 
gw2Medium60msinitially excluded

    Highest-Medium average latency = 55ms, Gateway connection order (gw1) -> (gw2)

 

Unexpected 2 gateway selection due to latency:

GatewayPriorityLatency 
gw1Highest60msinitially excluded
gw2Medium50ms 

    Highest-Medium average latency = 55ms, Gateway connection order (gw2) -> (gw1)

 

Forcing 2 gateway selection regardless of latency:

GatewayPriorityLatency 
gw1Highest60ms 
gw2Low50ms 

    Highest-Medium average latency = 60ms, Gateway connection order (gw1) -> (gw2)

 

Unexpected 5 gateway selection with normally high priority gateways experiencing high latency:

GatewayPriorityLatency 
gw1Highest120msinitially excluded
gw2High90msinitially excluded
gw3Medium50ms 
gw4Low30ms 
gw5Lowest35ms 

    Highest-Medium average latency = 87ms, Gateway connection order (gw3) -> (gw1 -> gw2 -> gw4 -> gw5)

 

View solution in original post

1 REPLY 1

L6 Presenter

Theoretically yes, I think (but not sure) that having no connections left would count as a gateway error, the same as being unreachable. The GP client would try to connect to the Highest priority gateway, find that it can't connect, and then go to the High priority gateway to try and connect.

 

However... For the initial gateway selection with a small number of gateways with roughly equal latency, there are effectively only 2 selections that guaranty one gateway gets chosen over the other in non-error conditions: Highest/High/Medium or Low/Lowest. This is because of the way the selection algorithm works. The Highest/High/Medium gateways are all lumped together and a latency check to each is performed (assuming in the correct region). The average latency to all is calculated and those gateways over the average are temporarily excluded. The Highest/High/Medium priorities are then applied to the remaining gateways and connections attempted to each in order of priority. If none of the chosen initial gateways are reachable, then the excluded gateways and Low/Lowest are attempted in order of priority.

 

For example, if you have 2 gateways, one set to Highest and the second set to Medium, with roughly equal latency, then the first connection attempt is always whichever gateway has a lower latency at the moment (because the slightly higher latency gateway is greater than the average latency). In order to force the priority one has to be in the Highest/High/Medium group, and the second in the Low/Lowest group.

 

This can lead to some non-ideal or unexpected gateway connection ordering when dealing with gateways that have similar latency (where the difference between is mostly determined by measurement jitter).

 

Ideal gateway selection:

GatewayPriorityLatency 
gw1Highest50ms 
gw2High60ms 
gw3Medium75msinitially excluded
gw4Low100ms 
gw5Lowest150ms 

    Highest-Medium average latency = 62ms, Gateway connection order (gw1 -> gw2) -> (gw3 -> gw4 -> gw5)

 

Ideal 2 gateway selection:

GatewayPriorityLatency 
gw1Highest50ms 
gw2Medium60msinitially excluded

    Highest-Medium average latency = 55ms, Gateway connection order (gw1) -> (gw2)

 

Unexpected 2 gateway selection due to latency:

GatewayPriorityLatency 
gw1Highest60msinitially excluded
gw2Medium50ms 

    Highest-Medium average latency = 55ms, Gateway connection order (gw2) -> (gw1)

 

Forcing 2 gateway selection regardless of latency:

GatewayPriorityLatency 
gw1Highest60ms 
gw2Low50ms 

    Highest-Medium average latency = 60ms, Gateway connection order (gw1) -> (gw2)

 

Unexpected 5 gateway selection with normally high priority gateways experiencing high latency:

GatewayPriorityLatency 
gw1Highest120msinitially excluded
gw2High90msinitially excluded
gw3Medium50ms 
gw4Low30ms 
gw5Lowest35ms 

    Highest-Medium average latency = 87ms, Gateway connection order (gw3) -> (gw1 -> gw2 -> gw4 -> gw5)

 

  • 1 accepted solution
  • 2388 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!