03-14-2022 04:57 PM
Up to now I've just had a single portal and gateway on an existing PAN 3220 pair.
I had a couple of questions..
1) What determines when traffic gets sent to the second gateway instead of the on-board gateway?
2) Can the same certificate be used for both gateways? I use certificate based authentication. The server certificate on the existing firewall is gp.acme.com - would this same certificate go onto the new gateway as well? I ask as the two gateways would have different IP addresses.
3) If the virtual PAN/secondary gateway was on the inside of DMZ interface of the hardware PAN, would it be still able to serve as the secondary gateway?
03-15-2022 01:22 PM
1) What determines when traffic gets sent to the second gateway instead of the on-board gateway?
-Based on your config on portal.
-If you choose auto gateway selection with same weight it uses ssl response time. You can see it on PANGPS log and PANGPA logs.
2) Can the same certificate be used for both gateways? I use certificate based authentication. The server certificate on the existing firewall is gp.acme.com - would this same certificate go onto the new gateway as well? I ask as the two gateways would have different IP addresses.
-For gateway config if you have wildcard certificate which is not recommended but somehow it works you can use.
-If you have a wildcard certificate which has your two gateway FQDN address as subject alt name it works and recommended you can use.
Else, (An idea, I did not try.)
İf you create two DNS record for your VPN gateways and portals example;
DNS Record1 vpn.acme.com = 1.2.3.4
DNS Record2 vpn.acme.com = 1.2.3.5
Same certificate should be usable. User will connect which response (faster one) they get.
You mentioned "I use certificate based authentication. "
İt is a authentication mechanism which is not related gatway and portal certificate config. You can use same Autjentication Certificate profile for other gateways.
3) If the virtual PAN/secondary gateway was on the inside of DMZ interface of the hardware PAN, would it be still able to serve as the secondary gateway?
İf its behind NAT (Not reccomended because NAT means you are making packets more small so SSL connections may be fail.) After Creating requered rule on Hardware PAN should work.
Another Option create sub interfaces on Hardware PAN and serve more than one Portal and Gateway on same firewall (I am running 8 Portal and different gateway on same Hardware PAN).
I suggest before taking action Create a test gateway and portal then see results.
Have a nice day.
03-15-2022 01:22 PM
1) What determines when traffic gets sent to the second gateway instead of the on-board gateway?
-Based on your config on portal.
-If you choose auto gateway selection with same weight it uses ssl response time. You can see it on PANGPS log and PANGPA logs.
2) Can the same certificate be used for both gateways? I use certificate based authentication. The server certificate on the existing firewall is gp.acme.com - would this same certificate go onto the new gateway as well? I ask as the two gateways would have different IP addresses.
-For gateway config if you have wildcard certificate which is not recommended but somehow it works you can use.
-If you have a wildcard certificate which has your two gateway FQDN address as subject alt name it works and recommended you can use.
Else, (An idea, I did not try.)
İf you create two DNS record for your VPN gateways and portals example;
DNS Record1 vpn.acme.com = 1.2.3.4
DNS Record2 vpn.acme.com = 1.2.3.5
Same certificate should be usable. User will connect which response (faster one) they get.
You mentioned "I use certificate based authentication. "
İt is a authentication mechanism which is not related gatway and portal certificate config. You can use same Autjentication Certificate profile for other gateways.
3) If the virtual PAN/secondary gateway was on the inside of DMZ interface of the hardware PAN, would it be still able to serve as the secondary gateway?
İf its behind NAT (Not reccomended because NAT means you are making packets more small so SSL connections may be fail.) After Creating requered rule on Hardware PAN should work.
Another Option create sub interfaces on Hardware PAN and serve more than one Portal and Gateway on same firewall (I am running 8 Portal and different gateway on same Hardware PAN).
I suggest before taking action Create a test gateway and portal then see results.
Have a nice day.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
