DotW: Multiple GlobalProtect Gateways on the Same Firewall
Resolution
Need help managing more than one GlobalProtect gateway on the same firewall ? This is a good discussion that's bubbled up from our Live Community, and we'd like to tackle it in this week's Discussion of the Week (DotW).
Community member 'Nathan.McCart' explains that he has a Palo Alto Networks PA-3020 firewall that has two ISP connections—a fairly common setup these days. He is also using GlobalProtect for remote access, which is set up on his Primary ISP.
Nathan's question has to do with his GlobalProtect Gateway on his ISP 1. He asks if there's a way to utilize his ISP 2 connection if the ISP 1 connection goes down.
Several members of the community replied with suggestions, one using PBF (Policy-Based Forwarding) rules to accomplish this, but Nathan was not sure whether to use one VR or two to handle the traffic properly.
Others commented about using multiple GlobalProtect gateways but only one Virtual Router (VR), but that looks like it would not work properly for what Nathan was trying to do.
User Otakar.klier responded with information and this link to:
How to Configure a Palo Alto Networks Firewall with Dual ISPs and Automatic VPN Failover
Here is what Nathan was trying to accomplish:
In the end, this is exactly what Nathan ended up doing, using two VRs to handle traffic for each. One of the major reasons for this solution is because having two default routes for 0.0.0.0 on just one VR can make life rather difficult. Two VRs makes for a much simpler situation.
To read the discussion, please visit this link:
Multiple Global Protect gateways on the same firewall
To read about other topics in the discussion area, please visit this link:
We always welcome comments and questions below in the comments section.
Thanks for reading,
Joe Delio