11-06-2024 12:16 PM
I have a situation where I will have 2 firewalls, each at their own respective site using different ISPs. I'd like to setup it up so that end users only have to connect to the portal at site1.mydomain.org, which will have the gateway configuration listed for the local firewall. If that site loses internet, and therefore the portal isn't available, I'd like to have them automatically reconnect to site2.mydomain.org w/o them having to take any user intervention if possible, similar to having 2 gateways listed on the same portal.
Is that possible w/o having to manually reconfigure their vpn clients or install the client from script?
11-06-2024 01:48 PM
Hello @DJ_1924
I've encountered this scenario before, and what you'll require is a combination of a Dynamic DNS (DDNS) service and a health check service. This setup will monitor the public IPs from each firewall and provide the necessary DNS record to connect to either A or B. It's important to note that this functionality cannot be achieved solely within the firewall itself, as external monitoring of the public IPs is necessary to determine their availability. Companies that provide these services include Cloudflare and Amazon.
Regards
11-07-2024 07:35 AM - edited 11-07-2024 07:35 AM
Hi @DJ_1924 ,
The global server load balancing method mentioned by @jpomachagua can be done if site2 also has the portal configured with the same FQDN.
Another approach to automatic failover (no manual selection) can be done with 1 portal and 2 gateways. Site1 will have both gateways (site1 and site2) configured in the portal. You can use the GlobalProtect gateway selection process to have everyone use site1 gateway. If the portal ever goes down, the clients will automatically connect to the site2 gateway using the cached portal configuration.
https://knowledgebase.paloaltonetworks.com/kCSArticleDetail?id=kA10g000000ClVz
There was a cool 3rd party document on this configuration that has since been deleted. It also said that the portal client configuration Save User Credentials had to be enabled for this redundancy to work. That is how i configured and tested this HA for a client. It worked great. If it doesn't work without that setting, you could try that.
Thanks,
Tom
11-08-2024 06:42 AM
Thanks for both of these posts. Using SAML authentication so not sure if that will impact this, but I'll certainly give it a try.
11-08-2024 07:03 AM
Hi @DJ_1924 ,
The DNS failover suggested by @TomYoung and @jpomachagua shouldn't have any effect on the SAML authentication, as all comes down to the fact that both portals will be using same FQDN.
11-08-2024 09:20 AM
Thanks for the response. Yes, DNS failover I understand and agree. Just tried the method of 1 portal w/ 2 gateways defined. Then tested inbound after disabling access to the portal. 1 user successfully used a cached gateway list and connected to site 2 gateway. The other user wasn't able to connect as they keep being prompted that the portal was unavailable. Both were running the same GP client software.
11-08-2024 12:05 PM
Yes, had the other user connect to the portal while it was up so they could pull the configuration file. Then disabled inbound access to the portal and had them try to reconnect and they got the error.
11-08-2024 01:28 PM
Hi @DJ_1924 ,
That's disappointing. Are there any differences in the 2 users such as OS, GP version, etc.? Did you try enabling Save User Credentials?
Thanks,
Tom
11-14-2024 05:25 AM
The 1 that was working was Windows 11 and the other was Windows 10.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
