GlobalProtect Mixed Gateway Always-On

Reply
Highlighted
L0 Member

GlobalProtect Mixed Gateway Always-On

Hi All,

 

As per this article (https://docs.paloaltonetworks.com/globalprotect/9-0/globalprotect-admin/globalprotect-quick-configs/...) if I set my portal to User Logon (Always-On), my internal gateway will try to connect, but my external will not (it will have to be done manually).  This is what I want...however...

 

I have tested this on my iPhone and the internal gateway autoconnects as it should.  However, when I'm not on the internal network, my iPhone constantly tries to connect (not sure if it's trying to connect to the internal/external gateway, but the connection constantly fails).  This should not be happening as per the article.  I only have one internal gateway and one external gateway.  How do I stop GP from trying to autoconnect when not on the internal network?

Tags (1)
Highlighted
L0 Member

I have checked my logs and it seems to constantly try to connect with the below errors.  Also in IOS, if you go into settings, you can see the VPN constantly trying to connect.  This breaks apps - for example, Youtube does not play videos.  You have to go into IOS -> General ->VPN and disable the Connect On Demand setting and then the constant connecting stops and videos play again.

 

09/13/2020 20:00:49.950 [Info ]: Network discovery started.
09/13/2020 20:00:50.179 [Error]: Please select a gateway to connect manually.
09/13/2020 20:00:51.225 [Info ]: GlobalProtect service started (client version: 5.2.3-3, OS version: Apple iOS 13.4.1).
09/13/2020 20:00:51.384 [Info ]: Portal login completed with address xxyy.ddns.net and conect method of user-logon.
09/13/2020 20:00:51.387 [Info ]: Network discovery started.
09/13/2020 20:00:51.616 [Error]: Please select a gateway to connect manually.
09/13/2020 20:00:52.541 [Info ]: GlobalProtect service started (client version: 5.2.3-3, OS version: Apple iOS 13.4.1).
09/13/2020 20:00:52.695 [Info ]: Portal login completed with address xxyy.ddns.net and conect method of user-logon.
09/13/2020 20:00:52.699 [Info ]: Network discovery started.
09/13/2020 20:00:52.918 [Error]: Please select a gateway to connect manually.
09/13/2020 20:00:54.148 [Info ]: GlobalProtect service started (client version: 5.2.3-3, OS version: Apple iOS 13.4.1).
09/13/2020 20:00:54.299 [Info ]: Portal login completed with address xxyy.ddns.net and conect method of user-logon.
09/13/2020 20:00:54.303 [Info ]: Network discovery started.

Tags (1)
Highlighted
L3 Networker

Hi,

by default  with User-Logon (Always) GP will automatically connect to gateway.

I see only one work around to accomplish what you want since you have only one Portal:

- on Portal do not Save login Info "save user Credentials, so the user will have to enter login data if he wants to login.

 

 

*************************************************************
PCCSA | PCNSA | PCNSE | CyberRange | PA CyberForce
*********************************
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!