GlobalProtect
GlobalProtect Multiple Gateway Configuration
Table of Contents
GlobalProtect Multiple Gateway Configuration
In the GlobalProtect
Multiple Gateway Topology below, a second external gateway
is added to the configuration. In this topology, you must configure
an additional firewall to host the second GlobalProtect gateway.
When you add the client configurations to be deployed by the portal,
you can also specify different gateways for different client configurations
or allow access to all gateways.
GlobalProtect Multiple Gateway Topology
If a client configuration
contains more than one gateway, the app attempts to connect to all
gateways listed in its client configuration. The app uses priority
and response time to determine the gateway to which it will connect.
The app only connects to a lower priority gateway if the response
time for the higher priority gateway is greater than the average
response time across all gateways. For more information, see Gateway
Priority in a Multiple Gateway Configuration.
- In this configuration, you must set up interfaces on each firewall hosting a gateway.Use thedefaultvirtual router for all interface configurations to avoid having to create inter-zone routing.On the firewall hosting the portal/gateway (gw1):
- Select , and then selectethernet1/2.
- Configureethernet1/2as a Layer 3 interface with an IP address of198.51.100.42, and then assign it to thel3-untrustSecurity Zoneand thedefaultVirtual Router.
- Create a DNS “A” record that maps IP address198.51.100.42togp1.acme.com.
- Select , and thenAddthetunnel.2interface. Add the interface to a newSecurity Zonecalledcorp-vpn. Assign it to thedefaultVirtual Router.
- Enable User Identification on thecorp-vpnzone.
On the firewall hosting the second gateway (gw2):- Select , and then selectethernet1/5.
- Configureethernet1/5as a Layer 3 interface with an IP address of192.0.2.4, and then assign it to thel3-untrustSecurity Zoneand thedefaultVirtual Router.
- Create a DNS “A” record that maps IP address192.0.2.4togp2.acme.com.
- Select , and thenAddthetunnel.1interface. Add the interface to a newSecurity Zonecalledcorp-vpn. Assign it to the defaultVirtual Router.
- Enable User Identification on thecorp-vpnzone.
- Purchase and install a GlobalProtect subscription on each gateway if your end-users will be using the GlobalProtect app on their mobile endpoints or if you plan on using the HIP-enabled security policy.After you purchase the GlobalProtect subscription and receive your activation code, install the license on the firewall hosting the portal, as follows:
- Select .
- SelectActivate feature using authorization code.
- When prompted, enter theAuthorization Code, and then clickOK.
- Verify that the license was activated successfully:
- On each firewall hosting a GlobalProtect gateway, create security policies.This configuration requires policy rules to enable traffic flow between thecorp-vpnzone and thel3-trustzone to provide access to your internal resources ().
- Use the following recommendations to obtain server certificates for each interface hosting your GlobalProtect portal and GlobalProtect gateways:
- (On the firewall hosting the portal or portal/gateway) Import a server certificate from a well-known, third-party CA.
- (On a firewall hosting only a gateway) Use the root CA on the portal to generate a self-signed server certificate.
On each firewall hosting a portal/gateway or gateway, select to manage certificates as follows:- Obtain a server certificate for the interface hosting portal/gw1. Because the portal and the gateway are on the same interface, you must use the same server certificate. The CN of the certificate must match the FQDN,gp1.acme.com. To enable endpoints to connect to the portal without receiving certificate errors, use a server certificate from a public CA.
- Obtain a server certificate for the interface hosting gw2. Because this interface hosts only a gateway, you can use a self-signed certificate. The CN of the certificate must match the FQDN,gp2.acme.com.
- Define how you will authenticate users to the portal and the gateways.You can use any combination of certificate profiles and/or authentication profiles as necessary to ensure the security of your portal and gateways. Portals and individual gateways can also use different authentication schemes. See the following sections for step-by-step instructions:
- Set Up External Authentication (authentication profile)
- Set Up Client Certificate Authentication (certificate profile)
- Set Up Two-Factor Authentication (token- or OTP-based)
You must then reference the certificate profile and/or authentication profiles that you define in the portal and gateway configurations. - The following example shows the configuration for gp1 and gp2, as seen in GlobalProtect Multiple Gateway Topology.On the firewall hosting gp1, select . Configure the gateway settings as follows:Interface—ethernet1/2IP Address—198.51.100.42Server Certificate—GP1-server-cert.pem issued by GoDaddyTunnel Interface—tunnel.2IP Pool—10.31.32.3 - 10.31.32.118On the firewall hosting gp2, select . Configure the gateway settings as follows:Interface—ethernet1/2IP Address—192.0.2.4Server Certificate—self-signed certificate, GP2-server-cert.pemTunnel Interface—tunnel.1IP Pool—10.31.33.3 - 10.31.33.118
- Configure the GlobalProtect Portals.Select . Configure the portal settings as follow:
- Interface—ethernet1/2IP Address—198.51.100.42Server Certificate—GP1-server-cert.pem issued by GoDaddy
- The number of client configurations you create depends on your specific access requirements, including whether you require user/group-based policy and/or HIP-enabled policy enforcement.
- Select .In this example, follow the procedure to Host App Updates on the Portal.
- Save the GlobalProtect configuration.Committhe configuration on the firewall hosting the portal and gateway(s).