03-25-2021 03:19 AM - edited 03-25-2021 03:22 AM
Dear all ,
One of my client is currently facing the below issue :
"We have faced some traffic black hole situations with Global Protect users when we are loosing internal connectivity in a GP gateway.
When firewall can no longer reach the LAN / internal connection because cable has been disconnected from TRUST interface or LAN , our WAN connectivity is still alive and the GP gateway is still available.
So All users are still being connected to the GP gw , they keep connecting but they lost communication with all internal services and we end up with this traffic being completely black holed.
My questions here are:
The only way the client is doing it this right now is by manually hutting down the outside/untrust interface ETH1/1 below , if checks from ETH1/3 fails entirely to all internal destinations (Boolean OR).
My ideas below , I tried to simulate option 1 below but I am not successful configuring it ..
Option 1 - Static route monitoring and Loopback
1/ Instead of binding the GP gateway to the external interface, you bind it to a loopback interface on the firewall.
2/ You add a static route (and maybe NAT depending on your setup) from the internet interface to the loopback interface to route the traffic to the new address.
3/ But when you create your static route, you add a path monitoring condition to make sure that the firewall's internal interface can reach your internal router. If it's not the case, the static route will be automatically removed from the routing table and the gateway will not be accessible anymore.
Option 2 - PBR instead of static route monitoring
You could also perform a very similar approach with a PBR policy but I tend to prefer the static route for something that is not changing too often.
Option 3 - Default route monitoring
One last very aggressive option I could think of would be: you don't change anything on your firewall but you add a path monitoring condition to the firewall default route. This way, if the firewall is losing connectivity to the internal network, it'll remove its default gateway and will lose internet connectivity.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!