Dear all, Please see the design below , the idea is testing against IPs 172.16.158.1 (IPs of VLAN 161) using path monitoring + static route Can we add a path monitoring to an internal static route , that internal route monitoring reachability of 172.16.158.1 using as a source Interface a newly created loopback that we could associate with the GP gateway ? The goal will be that when connectivity is lost from loopback to 172.16.158.1, the GP gateway will shutdown , the ultimate goal will be to avoid the mobile user traffic to reach the fw and then be black holed ... Regards. -
... View more
Dear all , One of my client is currently facing the below issue : "We have faced some traffic black hole situations with Global Protect users when we are loosing internal connectivity in a GP gateway. When firewall can no longer reach the LAN / internal connection because cable has been disconnected from TRUST interface or LAN , our WAN connectivity is still alive and the GP gateway is still available. So All users are still being connected to the GP gw , they keep connecting but they lost communication with all internal services and we end up with this traffic being completely black holed. My questions here are: Is there any way of shutting down/removing GP gateway from production if the internal connectivity check from the interface ETH1/3 in below example match a given condition (Boolean OR to several internal IPs, for example)? If no possible , can we remove the GP gateway from production in case the link towrds the LAN is down ? The only way the client is doing it this right now is by manually hutting down the outside/untrust interface ETH1/1 below , if checks from ETH1/3 fails entirely to all internal destinations (Boolean OR). My ideas below , I tried to simulate option 1 below but I am not successful configuring it .. Option 1 - Static route monitoring and Loopback 1/ Instead of binding the GP gateway to the external interface, you bind it to a loopback interface on the firewall. 2/ You add a static route (and maybe NAT depending on your setup) from the internet interface to the loopback interface to route the traffic to the new address. 3/ But when you create your static route, you add a path monitoring condition to make sure that the firewall's internal interface can reach your internal router. If it's not the case, the static route will be automatically removed from the routing table and the gateway will not be accessible anymore. Option 2 - PBR instead of static route monitoring You could also perform a very similar approach with a PBR policy but I tend to prefer the static route for something that is not changing too often. Option 3 - Default route monitoring One last very aggressive option I could think of would be: you don't change anything on your firewall but you add a path monitoring condition to the firewall default route. This way, if the firewall is losing connectivity to the internal network, it'll remove its default gateway and will lose internet connectivity. thanks Regards D.
... View more