Fabiano's suggestions did not work for me since I was already not using auth cookies. By default, the user's tunnel will be renamed and they will stay on the same gateway. But, perhaps you have a windows user group and you want them to get directed to a 2nd gateway. If you do refresh connection, they will switch, but you want it to happen automatically. So, consider setting this timeout value for the pre-logon tunnel, under App settings, to 0: Pre-Logon Tunnel Rename Timeout (sec) (Windows Only) This setting controls how GlobalProtect handles the pre-logon tunnel that connects an endpoint to the gateway. A value of -1 means the pre-logon tunnel does not time out after a user logs on to the endpoint; GlobalProtect renames the tunnel to reassign it to the user. However, the tunnel persists even if the renaming fails or if the user does not log in to the GlobalProtect gateway. A value of 0 means when the user logs on to the endpoint, GlobalProtect immediately terminates the pre-logon tunnel instead of renaming it. In this case, GlobalProtect initiates a new tunnel for the user instead of allowing the user to connect over the pre-logon tunnel. Typically, this setting is most useful when you set the Connect Method to Pre-logon then On-demand, which forces the user to manually initiate the connection after the initial logon.
... View more