Excellent, thanks a lot Sir, wish to see the entire series on Palo Alto Firewall configuration, implementations on AWS and VMWARE VMC Cloud integrated network soon
Thank you! If you're configuring Prisma Access using Panorama, you are able to change the portal configuration in the template Mobile_User_Template (under Network). There you can configure the Gateway priorities. Or did you mean using Strata Cloud Manager?
You're right, I meant location, not gateway. Funny, I have a client that has prisma access enterprise, and I was sure you could configure the location priorities on Panorama, under network -> portal. But again, I don't have much experience with prisma access. :-)
Great way of explaining it but would be better if you could do a tutorial step by step on configuring this option. For example, how to assign a gateway to a dual ISP.
You could allow the users to choose the gateways, would it be a solution for your environment? Or you set the priority of the second gateway to lowest, so that clients only connect to it if the first gateway or ISP is down.
Hi. Thank you, I'm glad you like the videos. Regarding your question, external gateways provide remote access to your network. The internal gateways are usually implemented to gather User-IP mappings from people already inside your network.
Hi.. I am also very keen to know more about Internal gateway, its use cases, what other components required to work with the Internal gateway and how to implement. Thanks a lot
I'm not sure I understand your question. It doesn't matter if the routes to the gateways are configured on the same VR or not, the important thing is that the clients are able to reach the gateways.
If a client cannot connect to the first gateway, it tries the second one. So with dual ISP, it would be no problem. The only problem there is the GlobalProtect Portal. Usually a client saves the last configuration it downloaded from the portal. But if a client is connecting for the first time, and the portal is not available, the client won't be able to connect. For a portal redundancy you would probably need to setup DNS with some sort of monitoring, if you want an automatic solution.
Hi. I have one query. Lets say if portal and gateway is on the same firewall and our firewall is down then how can clients connect to Global protect vpn. I am trying to rectify it if the portal is down because the firewall is down then how clients will get info about gateways n all?
Hi, sorry for the late reply. You are right, you need both portals and gateways to be reachable. In theory, if the portal is not reachable, the GlobalProtect app would use a cached portal configuration, if available, and try to connect to a gateway (I haven't tried it in practice yet). One possibility would be to have a High Availability firewall pair. Another one would be to use DNS to balance the load for you with firewalls in different sites.
Hi, if I understood you correctly, you would like to access the gateway directly. I think it's only possible if the portal is not accessible. In this case, the GlobalProtect app should use cached portal configuration and try to connect to the gateway directly.
![GlobalProtect Gateway Selection (Multi-Gateway Configuration) [2024]](/img/logo.svg){kind=logo}
