Second Global Protect Gateway

cancel
Showing results for 
Search instead for 
Did you mean: 

Second Global Protect Gateway

L3 Networker

Up to now I've just had a single portal and gateway on an existing PAN 3220 pair. 
I had a couple of questions.. 

 

1) What determines when traffic gets sent to the second gateway instead of the on-board gateway?

 

2) Can the same certificate be used for both gateways? I use certificate based authentication. The server certificate on the existing firewall is gp.acme.com - would this same certificate go onto the new gateway as well? I ask as the two gateways would have different IP addresses. 

3) If the virtual PAN/secondary gateway was on the inside of DMZ interface of the hardware PAN, would it be still able to serve as the secondary gateway?

1 ACCEPTED SOLUTION

Accepted Solutions

L3 Networker

1) What determines when traffic gets sent to the second gateway instead of the on-board gateway?

-Based on your config on portal.

-If you choose auto gateway selection with same weight it uses ssl response time. You can see it on PANGPS log and PANGPA logs.

 

2) Can the same certificate be used for both gateways? I use certificate based authentication. The server certificate on the existing firewall is gp.acme.com - would this same certificate go onto the new gateway as well? I ask as the two gateways would have different IP addresses. 

-For gateway config if you have wildcard certificate which is not recommended but somehow it works you can use.

-If you have a wildcard certificate which has your two gateway FQDN address  as subject alt name it works and recommended you can use.

Else, (An idea, I did not try.)

İf you create two DNS record for your VPN gateways and portals example;

DNS Record1 vpn.acme.com = 1.2.3.4

DNS Record2 vpn.acme.com = 1.2.3.5

Same certificate should be usable. User will connect which response (faster one) they get.

 

You mentioned "I use certificate based authentication. "

İt is a authentication mechanism which is not related gatway and portal certificate config. You can use same Autjentication Certificate profile for other gateways.

 

3) If the virtual PAN/secondary gateway was on the inside of DMZ interface of the hardware PAN, would it be still able to serve as the secondary gateway?

İf its behind NAT (Not reccomended because NAT means you are making packets more small so SSL connections may be fail.) After Creating requered rule on Hardware PAN should work.

Another Option create sub interfaces on Hardware PAN and serve more than one Portal and Gateway on same firewall (I am running 8 Portal and different gateway on same Hardware PAN).

 

I suggest before taking action Create a test gateway and portal then see results.

 

Have a nice day.

UP

View solution in original post

1 REPLY 1

L3 Networker

1) What determines when traffic gets sent to the second gateway instead of the on-board gateway?

-Based on your config on portal.

-If you choose auto gateway selection with same weight it uses ssl response time. You can see it on PANGPS log and PANGPA logs.

 

2) Can the same certificate be used for both gateways? I use certificate based authentication. The server certificate on the existing firewall is gp.acme.com - would this same certificate go onto the new gateway as well? I ask as the two gateways would have different IP addresses. 

-For gateway config if you have wildcard certificate which is not recommended but somehow it works you can use.

-If you have a wildcard certificate which has your two gateway FQDN address  as subject alt name it works and recommended you can use.

Else, (An idea, I did not try.)

İf you create two DNS record for your VPN gateways and portals example;

DNS Record1 vpn.acme.com = 1.2.3.4

DNS Record2 vpn.acme.com = 1.2.3.5

Same certificate should be usable. User will connect which response (faster one) they get.

 

You mentioned "I use certificate based authentication. "

İt is a authentication mechanism which is not related gatway and portal certificate config. You can use same Autjentication Certificate profile for other gateways.

 

3) If the virtual PAN/secondary gateway was on the inside of DMZ interface of the hardware PAN, would it be still able to serve as the secondary gateway?

İf its behind NAT (Not reccomended because NAT means you are making packets more small so SSL connections may be fail.) After Creating requered rule on Hardware PAN should work.

Another Option create sub interfaces on Hardware PAN and serve more than one Portal and Gateway on same firewall (I am running 8 Portal and different gateway on same Hardware PAN).

 

I suggest before taking action Create a test gateway and portal then see results.

 

Have a nice day.

UP
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!