Dual ISPs in Active-Active Mode
Learn how to support dual ISPs in an active-active configuration at a GlobalProtect cloud service remote network location.
By default, the GlobalProtect cloud service for remote networks provides support for two ISP links, which operate in active-passive mode. That is, if the primary ISP link goes down, the GlobalProtect cloud service detects the outage and establishes a tunnel to the remote network location over the secondary WAN link. However, in some environments, it is necessary to have both ISP links actively passing traffic from the remote network location through the GlobalProtect cloud service simultaneously. For example, if you have one fast ISP link and a slower ISP link, you may want to designate which traffic goes over which link based on subnet or application.
To enable this use case, you must onboard two remote networks instances with the GlobalProtect cloud service. You must onboard each remote network instance at the same remote network location to a different region. In this case, you would configure the first ISP as the primary WAN link on the first instance and the second ISP as the primary WAN link on the second instance, with no secondary WAN link configured for either remote network location instance. You will then add all of the subnets at the site to both instances. For example, if the remote network has subnet1 and subnet2, you would onboard both remote networks instances to include both subnets. Because both IPSec tunnels will carry traffic for both subnet1 and subnet2, the following limitations apply to this configuration.
- There is no inbound remote network-to-remote network traffic because the other remote network locations would not know how to route traffic to the site because both tunnels carry traffic for the same subnets. However, users and services at this site could access resources at other remote network locations provided there are no overlapping subnets at the site.
- Traffic from your HQ sites can not access resources at the remote network location with the dual ISP configuration because it would not know how to route traffic to it. The remote network site can, however, access resources at your HQ sites over either tunnel.
- Mobile users cannot access resources at this remote network location, again because of the inbound routing limitations.
To set up this configuration, follow the instructions to Configure the GlobalProtect Cloud Service for Remote Networks to onboard two separate remote network connections for the site. The details below show how you will deviate from the basic configuration in order to enable you to route traffic to the GlobalProtect cloud service using dual ISPs in an active-active mode:
- Onboard the
first remote network location instance using the first ISP as the
primary WAN link.
- Select a Region that is geographically close to the remote network location.
- Configure the primary IPSec Tunnel to terminate at the IP address associated with your first ISP.
- Do not Enable Secondary WAN.
- Set the Bandwidth as appropriate for the link speed available on ISP1, for example, 25 Mbps.
- Onboard the
second remote network location instance using the second ISP as
the primary WAN link.
- Select a different Region than you selected for the other ISP connection (but it should still be geographically close to the remote network location. For example, if you selected Northern California for the first connection, you might select Oregon for the second).You must select a different region because the subnets you onboard for the second ISP remote network instance overlap with the subnets you onboarded for the first ISP remote network instance. Although the GlobalProtect cloud service allows you to configure the two remote network instances with overlapping subnets in the same region, this configuration will fail when pushed to the GlobalProtect cloud service.
- Configure the IPSec Tunnel to terminate at the IP address associated with your second ISP.
- Do not Enable Secondary WAN.
- Set the Bandwidth as appropriate for the link speed available on ISP2, for example, 10 Mbps.
- Configure routing at your remote network location to
route traffic over the appropriate ISP link.Depending on the type of firewall, switch, or SD-WAN device available at the remote network location, you can route traffic based on application or subnet. For example, you might want to route all guest Wi-Fi traffic over one ISP and all other traffic over the other ISP. Or, you might want to send all web traffic over one ISP and all other traffic over the other ISP link.
Quick Configs for Remote Network Deployments
Quick Configs for Remote Network Deployments The following topics show some common GlobalProtect cloud service deployment scenarios for remote network deployments and provide instructions for ...
Configure the Remote Network
Configure the Silver Peak Remote Network Configure the remote network between the Silver Peak SD-WAN and the GlobalProtect cloud service by completing the steps in ...
Remote Network Location with High Bandwidth Requirements
Learn how to onboard a GlobalProtect cloud service remote network location at a site with high bandwidth or redundancy requirements. ...
Configure the GlobalProtect Cloud Service for Remote Networ...
Configure the GlobalProtect Cloud Service for Remote Networks For each remote network that you want to secure using the GlobalProtect cloud service for remote networks, ...
Remote Network Locations with Overlapping Subnets
Learn how to onboard two remote network locations that have overlapping subnets to the GlobalProtect cloud service. ...
Remote Network Locations with WAN Link
Remote Network Locations with WAN Link If you have a deployment where the HQ and remote network location(s) are directly connected over a WAN link ...
Create a Service Connection
Create a Service Connection To create a service connection to allow access to your corporate resources, complete the following steps. Select Panorama Cloud Services Configuration ...
Plan the GlobalProtect Cloud Service for Remote Networks
Plan the GlobalProtect Cloud Service for Remote Networks The GlobalProtect cloud service for remote networks allows you to pick the geographic locations where you want ...
Features Introduced in GlobalProtect Cloud Service
Features Introduced in GlobalProtect Cloud Service The following table describes the new features introduced in the Cloud Services plugin version 1.3.1. This release has changes ...