External Gateway Priority by Source Region

GlobalProtect can now use the geographic region of the GlobalProtect client to determine the best external gateway. By including source region as part of external gateway selection logic, you can ensure that users connect to gateways that are preferred for their current region. This can help avoid distant connections when there are momentary fluctuations of network latency. This can also be used to ensure all connections stay within a region if desired.
source-region-done-composite.png
This feature is not supported for IPv6 connections. Also, identifying the region for the connecting endpoint may not be reliable if a proxy server is used for the portal connection or if the firewall performs a source NAT on the traffic to the portal.
  1. On the
    External
    tab, click
    Add
    for External Gateways.
  2. Add
    one or more
    Source Regions
    for the gateway, or select
    Any
    to make the gateway available to all regions. When users connect, GlobalProtect recognizes the device region and only allows uses to connect to gateways that are configured for that region. GlobalProtect prioritizes the source region first, and then considers gateway priority.
    source-region.png
  3. Set the
    Priority
    of the gateway:
    If you have only one external gateway, you can leave the value set to
    Highest
    (default).
    If you have multiple external gateways, you can modify the priority values (ranging from
    Highest
    to
    Lowest
    ) to indicate a preference for the specific user group to which this configuration applies. For example, if you prefer that the user group connects to a local gateway you would set the priority higher than that of more geographically distant gateways. The priority value is then used to weight the agent’s gateway selection algorithm.
    If you do not want agents to automatically establish tunnel connections with the gateway, select
    Manual only
    . This setting is useful in testing environments.
  4. Save the agent configuration.
    • Click
      OK
      twice
    • Commit
      your changes.

Related Documentation