GP portal with multiple gateway can automate failover between multiple gateways when highest priority gateway gets down ?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.
Palo Alto Networks Approved
Palo Alto Networks Approved
Community Expert Verified
Community Expert Verified

GP portal with multiple gateway can automate failover between multiple gateways when highest priority gateway gets down ?

L1 Bithead

whether GP portal (containing Multiple GP Gateways) can automate enforcement of GP Gateways in the event when primary GP Gateway gets down due to any undesired reason. 

 

If the failover between gateways is automatic; without users noticing that they have been disconnected and re-connected to the other gateway >

1 accepted solution

Accepted Solutions

You can generate cookies from the portal login, you can then allow gateways to accept the cookies for authentication. It is called authentication override.  We use it for one time passcodes. Works great... I would suggest that you do not accept cookies auth on portal and tick box portal as per my below...

 

MickBall_0-1630423092952.jpeg

 

View solution in original post

5 REPLIES 5

L7 Applicator

No this is not possible. The user may not notice if they are just browsing or using a local app but if they are using for example .. video streaming or RDP then they will be disrupted.

 

GP will retry the current gateway a number of times before trying another gateway. This process time can be reduced in the GP portal config settings. This may speed the process up but be careful not to force GP refresh for slight network glitches.

L1 Bithead

Thanks MickBall. Please check below concern, 

When GP portal has multiple Gateways, if Gateway with highest priority gets down and its not coming up, then Gateway with less priority with respect to highest one will address/assess all GP clients traffic. So, while this happen , whether users have to enter their credentials again in their GP client Application to get authenticated in order keep using GP ssl-vpn ? ( While 2nd Gateway with less priority with respect to highest one takes over, does it remain transparent to end users ? While this failover happens whether GP portal/GP client application asks/forces users to authenticate again for continuing  to use GP ssl-vpn ?

 

For GP end users , how we can have auto failover between multiple gateways in above scenario so that users do not have to authenticate again or users need not to put their GP credentials in their GP client application in continuation to use GP ssl-vpn  ?

 

Thanks in advance !!

Shiva Vaishya

You can generate cookies from the portal login, you can then allow gateways to accept the cookies for authentication. It is called authentication override.  We use it for one time passcodes. Works great... I would suggest that you do not accept cookies auth on portal and tick box portal as per my below...

 

MickBall_0-1630423092952.jpeg

 

L1 Bithead

Hi Mickball, 

 

Thanks for response!!

 

Since its not safe to enable cookies auth override for my requirement, Is their any other Safe way to fulfill this requirement where GP end users do not have to authenticate themselves when they are connected a GP portal which contains multiple GP Gateways and when their is  failover from primary Gateway next reachable Gateway for redundancy purpose ?

 

 

 

 

I cannot understand your reasoning with cookies... another option would be to save user credentials but that would not be advisable, thats why theyboffer cookies.

 

another option would be to use certificate authentication to the gateways. Either use a domain issued cert or self signed.

  • 1 accepted solution
  • 5061 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!