Best Gateway Selection Criteria

Where Can I Use This?	What Do I Need?
NGFW (managed by Panorama or Strata Cloud Manager) Prisma Access (managed by Panorama or Strata Cloud Manager)	GlobalProtect Gateway license or Prisma Access license with the Mobile User subscription GlobalProtect 6.3.1 or later versions GlobalProtect endpoints running on Windows and macOS Content Version: 8903-9009

GlobalProtect uses a network discovery method to select the best available gateway from the available multiple gateway options. GlobalProtect attempts to communicate with all the gateways and uses criteria such as gateway priority, load, and response time from the gateway to determine the best available gateway to connect. Suboptimal endpoint conditions such as load and high CPU can impact the response time leading to incorrect gateway selection.

GlobalProtect Best Gateway Selection Criteria feature prevents suboptimal endpoint conditions effects on GlobalProtect network discovery resulting in the reliable best available GlobalProtect gateway selection in a suboptimal endpoint environment.

You can now configure the best gateway selection criteria in the app settings of the GlobalProtect portal configuration for the endpoints to select the best available gateway when the end users are connecting from an external network.

When the end user is connecting from an external network, the GlobalProtect app first attempts to connect to the external gateways listed in its client configuration, and then it establishes a connection to the gateway with the highest priority and shortest response time.

Previously, the time taken for a successful TLS handshake (Load & response time) was used by the app to measure the time taken to establish an external gateway connection.

With this feature enabled, you can configure the app to use the time taken for a successful TCP connection (Response Time) as the external gateway measurement criteria. When you select the Best Gateway Selection Criteria option as Response Time in the app settings of the portal configuration, the duration of the TCP handshake is used by the app to measure the time taken to establish an external gateway connection.

By default, the best gateway selection criteria is considered as the Load & response time (TLS handshake duration) in the app settings of the portal configuration. This is the default behaviour and previously, Load & response time was used by the app to measure the time taken to establish an external gateway connection.

1. Configure the GlobalProtect Portal.
2. Configure the GlobalProtect Gateway.
3. Configure the GlobalProtect app to use the best gateway selection criteria while connecting to the external gateway.

   1. Select NetworkGlobalProtectPortals<portal-config>Agent<agent-config>App.
   2. In the App Configurations area, select the Best Gateway Selection Criteria option as Response Time for the GlobalProtect app to use the TCP handshake time duration as the external gateway measurement criteria. By default, the Best Gateway Selection Criteria is selected as the Load & response time, which is the TLS handshake duration to measure the time taken for an external gateway connection.

4. Click OK.
5. Commit the configuration.