GlobalProtect GW redundancy and preemption

Showing results for 
Show  only  | Search instead for 
Did you mean: 

GlobalProtect GW redundancy and preemption

L1 Bithead

Does anyone know if GW preemption can be achieved with GlobalProtect Agent?

Meaning, that we use primary and secondary GW, whereas secondary GW should be used only in case primary is not reachable.

So far, the failover to secondary GW works perfectly if the primary becomes unreachable, however, as soon the primary becomes available again it doesn't fall back. Primary GW has the highest priority and secondary GW the lowest.

Is such a scenario possible? 


L6 Presenter

I do not believe there are any preemption options for the gateway. Failover from the primary to secondary works because the client will automatically try to reconnect when is loses connection to the gateway, so it will test the primary, find it is unreachable, and then fail to the secondary. But when the primary comes back up it is already connected (to the secondary) gateway), so there is no reason to retest. Clients should automatically return to the primary gateway when the maximum VPN lifetime expires, though this may take considerable time (I believe the default is 30 days).


Some options might be: decrease the VPN lifetime; tell clients to manually switch back to the primary; or block the secondary gateway to force clients back to the primary.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!