Prisma Access Global Protect clients do not select any gateway when using Best available method
11532
Created On 05/28/20 05:14 AM - Last Modified 11/17/22 23:23 PM
Objective
- When a user connects from a country which does not have an in-country gateway, the agent never connects to any gateway.
- Manual selection (if allowed on portal) of gateway works as expected.
Note: In-country gateway refers to a gateway location available for the source user country. Example, If the user is in UK, a gateway in UK location is called as in-country gateway.
Environment
- Prisma access mobile users.
- Prisma Access is configured for mobile users with multiple gateways enabled.
Note: Not applicable to Strata Next Generation Firewalls.
Procedure
This is expected behaviour for Prisma access when there is no in-country gateway available for use in the source country. See the document below for official documentation.
How the GlobalProtect App Selects a Prisma Access Location for Mobile Users
Workarounds:
- Allow users to manually select the gateway.
- Set a preferred gateway for users connecting from these countries. The document in next step will help.
- Support for Preferred Gateways
- Configure the portal with gateway locations selected under Global Protect >Agent> External >External gateways.
- Based on above changes, the client would receive a list of these 3 gateways and can connect to one of the gateways based on latency using Best Available method.
Note: This would be applicable to all the users who connect using this portal. Use config selection criteria to create specific client configuration to match a specific set of users as needed.