GP traffic black holing / redundancy
cancel
Showing results for 
Search instead for 
Did you mean: 

GP traffic black holing / redundancy

L0 Member

Dear all ,

One of my client is currently facing the below issue :

"We have faced some traffic black hole situations with Global Protect users when we are loosing internal connectivity in a GP gateway.

When firewall can no longer reach the LAN / internal connection because cable has been disconnected from TRUST interface or LAN , our WAN connectivity is still alive and the GP gateway is still available.

So All users are still being connected to the GP gw ,  they keep connecting but they lost communication with all internal services and we end up with this traffic being completely black holed. 

 

My questions here are:

 

  • Is there any way of shutting down/removing GP gateway from production if the internal connectivity check from the interface ETH1/3 in below example match a given condition (Boolean OR to several internal IPs, for example)?
  • If no possible  , can we remove the GP gateway from production in case the link towrds the LAN is down ? 

The only way the client is doing it this right now is by manually hutting down the outside/untrust interface ETH1/1 below , if checks from ETH1/3 fails entirely to all internal destinations (Boolean OR).

 

My ideas below , I tried to simulate option 1 below but I am not successful configuring it .. 

 

Option 1 - Static route monitoring and Loopback

1/ Instead of binding the GP gateway to the external interface, you bind it to a loopback interface on the firewall.

2/ You add a static route (and maybe NAT depending on your setup) from the internet interface to the loopback interface to route the traffic to the new address.

3/ But when you create your static route, you add a path monitoring condition to make sure that the firewall's internal interface can reach your internal router. If it's not the case, the static route will be automatically removed from the routing table and the gateway will not be accessible anymore.

 

Option 2 - PBR instead of static route monitoring

You could also perform a very similar approach with a PBR policy but I tend to prefer the static route for something that is not changing too often.

 

Option 3 - Default route monitoring

One last very aggressive option I could think of would be: you don't change anything on your firewall but you add a path monitoring condition to the firewall default route. This way, if the firewall is losing connectivity to the internal network, it'll remove its default gateway and will lose internet connectivity.

 

DPonsdesserre_0-1616667169386.png

 

thanks 

Regards

D.

0 REPLIES 0
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!