GlobalProtect Gateway Tunnel failover with Firewall in Active-Passive High Availability Configuration
3381
Created On 02/09/21 01:27 AM - Last Modified 06/24/25 23:23 PM
Symptom
- When GlobalProtect Gateway is configured on a firewall with Active-Passive High Availability configuration, a firewall administrator can trigger a failover of active firewall via reboot or suspending the device, so the passive firewall can take over as active.
- In this scenario, users may experience traffic interruption depending on how the GlobalProtect tunnel is established on the gateway.
Environment
- PanOS 8.1.x or above
- GlobalProtect 5.0.x or above
- Palo Alto Networks Firewall
Cause
- If the end-user connected via GlobalProtect using SSL tunnel instead of IPsec, when the firewall failover occurs from Active to Passive, the SSL tunnel on the GlobalProtect client will be terminated, causing all established connections routed over the tunnel to drop.
- GlobalProtect Client will automatically create a new tunnel, and the user will have to reinitiate the connections to access the resources again.
Resolution
- Avoid setting the Portal App configuration for "Connect with SSL Only" set to yes if possible, as this will enforce SSL only tunnel.
- Try to make sure most, if not all users are able to connect the tunnel using IPsec over UDP port 4501
- IPsec will retain the tunnel for the end-user so failover is more seamless.
- Inform users prior to performing firewall failover as users connected via SSL tunnel will face service interruption momentarily.