Multiple Portals/Gateways

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Multiple Portals/Gateways

L2 Linker

GP on the fw is setup and working. I have a group of users i need to isolate from everyone else - most of the time.So if they use the url vpn1.mydomain.com they get IP Pool X and specific X policies. If they use url vpn2.mydomain.com they get IP Pool Y and specific Y policies.

 

It seems like i should be able to setup multiple portals and gateways on an interface but i want some confirmation before i start working with a production environment.

14 REPLIES 14

Cyber Elite
Cyber Elite

Hi @GFN182 ,

 

The straightforward solution is to use source user in the security policy to isolate the users without having to build multiple gateways.  GP has User-ID built-in.  I like keeping all of my security configuration in one place.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

L7 Applicator

I would go with @TomYoung suggestion.

just one portal with one gateway, then the gateway can have many configs that can differentiate between users vi user-id and distribute ip as required.

 

or just have the same gateway for all and base your policies on user-id only.....

L2 Linker

Unfortunately the same user Id has multiple requirements.

Cyber Elite
Cyber Elite

Unless the authentication needs to be different, you can definitely stick to one portal.

 

Each gateway can have multiple configurations based on user group membership so you can assign different subnets to each user group.

In addition you can reuse those user groups in security rules to limit which access each group gets

If they need to be able to choose when they take certain access, you can set up 2 gateways on the one portal and allow them to pick which one to connect to manually. You can then assign them one IP pool on one gateway and another on the second gateway, then set security rules that allow them access based on user group and source subnet

 

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

I’m not sure why you would want to do that...  could you explain why as it may assist in finding another solutiom.

Cyber Elite
Cyber Elite

Hi @GFN182 ,

 

Use groups in your security policy.  You will need to configure group mapping, but with groups a single user can match multiple security policy rules.  The user does not have to change gateways for different access rights.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

L2 Linker

The use case is mutually exclusive. One connection will login to our isolated cyber environment. The other connection will give access to our production environment.

Except i would belong to both groups

One portal, two gateways

GW1. Regular users and caseA access to production, IP poolA

GW2. CaseB access to cyber, IP pool B

 

Using two gateways allows manual selection to which environment to connect, security rules for user group and subnetA OR subnetB allow access to one or the other

 

For full segregation you could set up multiple virtual systems and host a gateway on each

 

 

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Understood.

Help the community: Like helpful comments and mark solutions.

this sounds possible, i will give it a shot

L2 Linker

Working with my SE he recommended using a loopback interface on a different port. He demonstrated this in his lab.

L0 Member

I have different purpose (new certificate with different CN) to create a new/parallel portal&gateway (to keep the change transparent for end user/and to keep easy revert back possibilities in worst case), so when i try to create a new por+gw by adding new pub-IP on same internet interface, using new certificate, using new client iP pool range,  i get below error while pushing the policy,

. SSLVPN: Invalid IPv4 pool value: xxxxxxxxxxxxxxxxxxx
. (Module: rasmgr)
. SSLVPN: failed to parse IP pool in tunnel xxxxxxxxxxx
. (Module: rasmgr)
. Parsing GlobalProtect gateway multi user configs failure
. (Module: rasmgr)
. Commit failed

I checked multiple times that there is no overlapping of client subnet that i am using, and subnet value is also perfect, its large enough, tried with /24, /22, but still not sure why its giving above error. 

Is it possible to configure two portal/gateway on same interface but with two different pub IPs and different tunnel interface and different client IP ranges ? 

 

you can't use two ip's on the same interface. Use a loopback interface to achieve your goals.

  • 6667 Views
  • 14 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!