Hi, Cisco's tunnel group and group policies cannot directly migrated into PA Global Protect gateway. The rule is a single PSK/CERT group per GP gateway, once you need more a new gateway has to be created. In Cisco vision the use of multiple vpn-group was done to segregate traffic in layer3+ pool containers, using PA and its user identification, always present in GP, you can achieve the same security level with only one gateway (and related tunnel group) with a bunch of security rules based on User-ID.
... View more