Starting with PAN-OS 7.1, you can now configure the
Maximum Internal Gateway Connection Attempts
option as part of the
GlobalProtect portal agent configuration.
By increasing the value, you enable the agent to automatically connect to an internal gateway that is temporarily down or unreachable during the first connection attempt but comes back up before the specified number of retries are exhausted. Increasing the value also ensures that the internal gateway receives the most up-to-date user and host information; However, it also delays the upload of user and host information to any connected internal gateways. This is because the agent waits to upload data until it has connected to all gateways or until all connection attempts are exhausted. During the retry period, all gateways that are reachable must use the previous, out-dated HIP report to enforce policies for the user.
With Content Release version 590-3397 or later, the logic for this feature has been enhanced so that GlobalProtect sends host information to any internal gateways to which it can authenticate during the retry attempt. GlobalProtect continues to authenticate to any internal gateways that were previously unreachable until the number of retry attempts is exhausted or GlobalProtect successfully connects to all the internal gateways. This change enables GlobalProtect to send the most up-to-date host information to available gateways without delays caused by unreachable gateways.
To help ensure that internal gateways receive the most current user and host information, increase the maximum number of connection attempts, to 5 for example. After each failed attempt to connect, the agent waits for a preconfigured amount of time before trying again to connect, as shown in the following figure.
If the agent retries the connection five times, this can delay the submission of user and host information by a minimum of 1 minute 35 seconds (5 + 10 + 20 + 30 + 30); However, with the enhanced logic released with Content Release version 590-3397 or later, the agent sends the host information as soon as it establishes a connection. Therefore, to reduce delays in receiving up-to-date host information, we recommend installing this content release.