Listing Backup GlobalProtect Portal

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Listing Backup GlobalProtect Portal

L1 Bithead

I have a situation where I will have 2 firewalls, each at their own respective site using different ISPs.  I'd like to setup it up so that end users only have to connect to the portal at site1.mydomain.org, which will have the gateway configuration listed for the local firewall.  If that site loses internet, and therefore the portal isn't available, I'd like to have them automatically reconnect to site2.mydomain.org w/o them having to take any user intervention if possible, similar to having 2 gateways listed on the same portal.  

 

Is that possible w/o having to manually reconfigure their vpn clients or install the client from script?

9 REPLIES 9

L3 Networker

Hello @DJ_1924 

 

I've encountered this scenario before, and what you'll require is a combination of a Dynamic DNS (DDNS) service and a health check service. This setup will monitor the public IPs from each firewall and provide the necessary DNS record to connect to either A or B. It's important to note that this functionality cannot be achieved solely within the firewall itself, as external monitoring of the public IPs is necessary to determine their availability. Companies that provide these services include Cloudflare and Amazon.

 

Regards

Jorge Pomachagua
PCNSE, PCNSC.

Cyber Elite
Cyber Elite

Hi @DJ_1924 ,

 

The global server load balancing method mentioned by @jpomachagua can be done if site2 also has the portal configured with the same FQDN.

 

Another approach to automatic failover (no manual selection) can be done with 1 portal and 2 gateways.  Site1 will have both gateways (site1 and site2) configured in the portal.  You can use the GlobalProtect gateway selection process to have everyone use site1 gateway.  If the portal ever goes down, the clients will automatically connect to the site2 gateway using the cached portal configuration.

 

https://knowledgebase.paloaltonetworks.com/kCSArticleDetail?id=kA10g000000ClVz

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000kFLbCAM&lang=en_US%E2%80%A...

 

There was a cool 3rd party document on this configuration that has since been deleted.  It also said that the portal client configuration Save User Credentials had to be enabled for this redundancy to work.  That is how i configured and tested this HA for a client.  It worked great.  If it doesn't work without that setting, you could try that.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

Thanks for both of these posts.  Using SAML authentication so not sure if that will impact this, but I'll certainly give it a try. 

Hi @DJ_1924 ,

The DNS failover suggested by @TomYoung and @jpomachagua  shouldn't have any effect on the SAML authentication, as all comes down to the fact that both portals will be using same FQDN.

 

Thanks for the response.  Yes, DNS failover I understand and agree.  Just tried the method of 1 portal w/ 2 gateways defined.  Then tested inbound after disabling access to the portal.  1 user successfully used a cached gateway list and connected to site 2 gateway.  The other user wasn't able to connect as they keep being prompted that the portal was unavailable.  Both were running the same GP client software. 

Cyber Elite
Cyber Elite

Hi @DJ_1924 ,

 

Had the "other user" previously connected to the portal?

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

Yes, had the other user connect to the portal while it was up so they could pull the configuration file.  Then disabled inbound access to the portal and had them try to reconnect and they got the error.

Cyber Elite
Cyber Elite

Hi @DJ_1924 ,

 

That's disappointing.  Are there any differences in the 2 users such as OS, GP version, etc.?  Did you try enabling Save User Credentials?

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

The 1 that was working was Windows 11 and the other was Windows 10.

  • 610 Views
  • 9 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!