Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

GlobalProtect gateway limit

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

GlobalProtect gateway limit

L1 Bithead

We have a pair of PA-850 firewalls, and we are running into an error when pushing configuration from Panorama that contains 7 GP gateways (6 external and 1 internal), and 6 portals.

 

. global-protect -> global-protect-gateway -> GlobalProtect AlwaysOn constraints failed : Maximum number of GlobalProtect gateway configuration exceeded

 

The only related documentation I can find is https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClidCAC, which states that the number of "external" gateways for a PA-850 is limited to 12. We have spoken with support, and they insist that the limit is gateway + portal, even though I can continue to add ports and push the config to our PA-850 with no issues, and that it is in direct contradiction with what the published documentation states. I have also tested by deleting 2 portals (4 remaining) and still cannot add a 6th external gateway, with 1 internal gateway.

 

We are getting no help from support, and getting frustrated with the lack of a path to resolution. I can accept it if the gateway limit is indeed 6 (or combined limit of 12 for gateway + portal), as long as it is states clearly as such in any published documentation.

 

Anyone else ran into a similar situation?

6 REPLIES 6

L0 Member

Hello Peter , 

 

Hope you are doing good.

 

I just wanted to update you that I am checking internally regard this issue and I am trying to replicate this problem in my lab device.

 

I’ll update you as soon as I have further information.

 

Thank you!

Hi Abahrami,

 

Thank you for looking into this for me. 

 

Peter

L2 Linker

Did you ever get an answer?  I have a case opened today for adding a 7/8th gateway to an 850 running 9.0.12 with the same error message failing.

L1 Bithead

unfortunately, no. We never got a response/solution out of support. I have tested this again today, and we still have the same limit

L2 Linker

I'll update you on my case status when I get one.  As of right now, it noted it *should* be fixed in 9.1.11

 

PAN-112175
Fix in 9.1.11 ETA 8/5/21

L2 Linker

Just an update - asked TAC to confirm bugID was correct.

 

Engineering did duplicate it to previously found PAN-112175.
Fix in 9.1.11 ETA 8/5/21

 

No plans to backport to 9.0.x yet. 

  • 6037 Views
  • 6 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!