- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
07-28-2021 05:53 AM
Hi Folks,
I have PaloaltoFirewall on DC and DRC, and we are going to configure GlobalProtect for SSLVPN.
I understand that we can configure multiple gateway on the Portal, so that when one gateway is down it can failover to the next available gateway.
Let say i configure the Paloalto on DC as the Portal. And the Gateway consist of Paloalto DC (highest Priority) and DRC (as a backup).
Q1 : The IP address which we should publish to the user to connect is the IP Address of the Portal right ?
Q2 : Then the portal will push 2 Gateway information to the user. They will automatically connect to gateway DC. Then what will happen on the user side when the users is connected to the gateway DC, and suddenly the gateway DC down which means the Portal is down as well
Q3 : What will happen, when the paloalto DC is down, and there is a user trying to connecting his globalprotect client ?
Q4 : Is there any way to make the VPN service still availbale for the user when the Portal is down, without GSLB ? whitout user interferency to change ip / something on their GP agent ?
Thanks fo all the answer
07-28-2021 10:51 PM
There is no time limit on cached portal, it will remain unless overwritten by a newer portal connection or client uninstall,
the only issue with cached portals is if you change any app/auth/gateway etc settings and need to get this out to users.... you can of course replicate portals to other palos for additional resilience... we do this at 2 main sites for when we know a particular site will be down for any reason...
07-28-2021 10:01 AM
I have no idea what DC or GSLB stands for...
anyhows,,, you are correct in that you only give the portal address to users.
and yes the portal will offer 2 gateways and if you have not set priorities on the gateways then the user will connect to the gateway that responds quickest... if the portal then becomes unavailable the GP client will used a cached copy of the portal settings on every connection until the portal is available but the user needs to connect at least once to cache the portal config.
if the user looses connection to its gateway the it will refresh the portal connection and then connect to the other gateway if one of them is still down, hope that helps...
07-28-2021 06:14 PM
Hi @Mick_Ball
Thanks, that answered my questions.
Regarding the cache copy of portal settings, in what condition the cache will be removed from the client ?
07-28-2021 10:51 PM
There is no time limit on cached portal, it will remain unless overwritten by a newer portal connection or client uninstall,
the only issue with cached portals is if you change any app/auth/gateway etc settings and need to get this out to users.... you can of course replicate portals to other palos for additional resilience... we do this at 2 main sites for when we know a particular site will be down for any reason...
07-29-2021 09:19 AM
Well noted.
Yes, i am thinking about that as well, to replicate the portal to other palo.
Well, Thanks @Mick_Ball
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!