GlobalProtect Multiple Gateway Configuration
In GlobalProtect
Multiple Gateway Topology, a second external gateway has
been added to the configuration. Multiple gateways are supported
in all of the preceding example configurations. Additional steps
include configuring a second firewall as a GlobalProtect gateway.
In addition, when configuring the client configurations to be deployed
by the portal you can decide whether to allow access to all gateways,
or specify different gateways for different configurations.
If a
client configuration contains more than one gateway, the agent will
attempt to connect to all gateways listed in its client configuration.
The agent will then use priority and response time as to determine the
gateway to which to connect. The agent connects to a lower priority
gateway only if the response time for the higher priority gateway
is greater than the average response time across all gateways. For more
information, see Gateway
Priority in a Multiple Gateway Configuration.
- Create
Interfaces and Zones for GlobalProtect.In this configuration, you must set up interfaces on each firewall hosting a gateway.Use the default virtual router for all interface configurations to avoid having to create inter-zone routing.On the firewall hosting the portal/gateway (gw1):
- Select and configure ethernet1/2 as a Layer 3 Ethernet interface with IP address 198.51.100.42 and assign it to the l3-untrust security zone and the default virtual router.
- Create a DNS “A” record that maps IP address 198.51.100.42 to gp1.acme.com.
- Select and add the tunnel.2 interface and add it to a new zone called corp-vpn. Assign it to the default virtual router.
- Enable User Identification on the corp-vpn zone.
On the firewall hosting the second gateway (gw2):- Select and configure ethernet1/5 as a Layer 3 Ethernet interface with IP address 192.0.2.4 and assign it to the l3-untrust security zone and the default virtual router.
- Create a DNS “A” record that maps IP address 192.0.2.4 to gp2.acme.com.
- Select and add the tunnel.1 interface and add it to a new zone called corp-vpn. Assign it to the default virtual router.
- Enable User Identification on the corp-vpn zone.
- Purchase and install a GlobalProtect subscription on
each gateway if you have users who will be using the GlobalProtect
app on their mobile devices or if you plan to use HIP-enabled security policy.After you purchase the GlobalProtect subscription and receive your activation code, install the license on the firewall hosting the portal as follows:
- Select .
- Select Activate feature using authorization code.
- When prompted, enter the Authorization Code and then click OK.
- Verify that the license was successfully activated.
- On each firewall hosting a GlobalProtect gateway, create
security policy.This configuration requires policy rules to enable traffic flow between the corp-vpn zone and the l3-trust zone to enable access to your internal resources ().
- Obtain server certificates for the interfaces hosting
your GlobalProtect portal and each of your GlobalProtect gateways
using the following recommendations:
- (On the firewall hosting the portal or portal/gateway) Import a server certificate from a well-known, third-party CA.
- (On a firewall hosting only a gateway) Use the root CA on the portal to generate a self-signed server certificate.
On each firewall hosting a portal/gateway or gateway, select to manage certificates as follows:- Obtain a server certificate for the portal/gw1. Because the portal and the gateway are on the same interface you must use the same server certificate. The CN of the certificate must match the FQDN, gp1.acme.com. To enable clients to connect to the portal without receiving certificate errors, use a server certificate from a public CA.
- Obtain a server certificate for the interface hosting gw2. Because this interface hosts a gateway only you can use a self-signed certificate. The CN of the certificate must match the FQDN, gp2.acme.com.
- Define how you will authenticate users to the portal
and the gateways.You can use any combination of certificate profiles and/or authentication profiles as necessary to ensure the security for your portal and gateways. Portals and individual gateways can also use different authentication schemes. See the following sections for step-by-step instructions:
- Set Up External Authentication (authentication profile)
- Set Up Client Certificate Authentication (certificate profile)
- Set Up Two-Factor Authentication (token- or OTP-based)
You will then need to reference the certificate profile and/or authentication profiles you defined in the portal and gateway configurations you define. - Configure the gateways.This example shows the configuration for gp1 and gp2 shown in GlobalProtect Multiple Gateway Topology. (See Configure a GlobalProtect Gateway for step-by-step instructions on creating the gateway configurations.)On the firewall hosting gp1, select and configure the gateway settings as follows:Interface—ethernet1/2IP Address—198.51.100.42Server Certificate—GP1-server-cert.pem issued by GoDaddyTunnel Interface—tunnel.2IP Pool—10.31.32.3 - 10.31.32.118On the firewall hosting gp2, select and configure the gateway settings as follows:Interface—ethernet1/2IP Address—192.0.2.4Server Certificate—self-signed certificate, GP2-server-cert.pemTunnel Interface—tunnel.1IP Pool—10.31.33.3 - 10.31.33.118
- Configure the GlobalProtect
Portals.Select and add the following configuration:
- Set
Up Access to the GlobalProtect Portal:Interface—ethernet1/2IP Address—198.51.100.42Server Certificate—GP1-server-cert.pem issued by GoDaddy
- Define
the GlobalProtect Agent Configurations:The number of client configurations you create depends on your specific access requirements, including whether you require user/group-based policy and/or HIP-enabled policy enforcement.
- Set
Up Access to the GlobalProtect Portal:
- Deploy
the GlobalProtect Agent Software.Select .In this example, use the procedure to Host Agent Updates on the Portal.
- Save the GlobalProtect configuration.Click Commit on the firewall hosting the portal and the gateway(s).