Remote Network Location with High Bandwidth Requirements

Learn how to onboard a GlobalProtect cloud service remote network location at a site with high bandwidth or redundancy requirements.
A single GlobalProtect cloud service remote network instance supports a bandwidth of up to 1000 Mbps (in Preview mode) or 300 Mbps.
When you specify 500 or 1000 Mbps, we deliver 500 and 1000 Mbps settings of throughput on a best-effort basis during the preview. The actual performance will vary depending upon the traffic mix.
However, at some larger branch office locations or when connecting to a headend SD-WAN device, you may have higher bandwidth requirements. To enable support for more than 1000 Mbps of bandwidth at a single site, or at a high-bandwidth site with full redundancy requirements, you can onboard multiple GlobalProtect cloud service remote network location instances. Each instance you onboard must be in a different region and each instance must serve the same set of IP subnets. Depending on the type of firewall, switch, or SD-WAN device you are using to connect to the GlobalProtect cloud service, you can route traffic through one tunnel or another based on application or subnet.
For example, in the following diagram, all Internet-bound traffic uses the GlobalProtect remote network instance in Region 1, while all traffic destined for resources at your HQ or other remote network locations go to the remote network instance in Region 2:
QC-multiple-fw-per-remote-network.png
To set up this configuration, follow the instructions to Configure the GlobalProtect Cloud Service for Remote Networks to onboard two separate remote network connections for the site. The details below show how you will deviate from the basic configuration in order to enable you to onboard two separate remote network instances at the same location:
  1. Onboard the first remote network location instance:
    • Select a Region that is geographically close to the remote network location.
    • Configure the primary IPSec Tunnel to terminate at the SD-WAN device, firewall, or other IPSec-capable device at the remote network location.
    • Set the Bandwidth as appropriate for the link speed available on the link, for example, 300 Mbps.
    • Define the IP Subnets you want to secure at the remote network location. You will be onboarding the same set of IP subnets to the second remote network instance as well.
    qc-high-bandwidth-1.png
  2. Onboard the second remote network location instance:
    • Select a different Region than you selected for the other ISP connection (but it should still be geographically close to the remote network location. For example, if you selected Northern California for the first connection, you might select Oregon for the second).
      The reason you must select a different region is because the subnets you are onboarding for the remote network instance overlap with the subnets you onoboarded for the first remote network instance. Although the Cloud Services plugin will allow you to configure the two remote network instances with overlapping subnets in the same region, this configuration will fail when pushed to the GlobalProtect cloud service.
    • Configure the IPSec Tunnel to terminate at the SD-WAN device, firewall, or other IPSec-capable device at the remote network location.
    • Set the Bandwidth as appropriate for the link speed available on the link, for example, 300 Mbps.
    • Define the IP Subnets you want to secure at the remote network location. The list of subnets you define here should match the list of IP subnets you defined for the first remote network instance you onboarded for this location.
    qc-high-bandwidth-2.png
  3. Configure routing at your remote network location to route traffic to the appropriate remote network.
    Depending on the type of firewall, switch, or SD-WAN device available at the remote network location, you can route traffic based on application or subnet. For example, you might want to route all Internet-bound traffic through one region and all traffic to your HQ or other remote network locations through the other region.

Related Documentation