Global protect behavior in Auto-scale mode #33
Comments
|
Hi @aymanelbacha ! IPSec and GP solutions in the public cloud are a bit more tricky due to the asymmetric routing issues. High level - if you want to have GP - you can do that with more or less any type of deployment (A/P, standalone, autoscale, etc.) - as long as you SNAT the traffic once it leaves the firewall towards your trust/protected VPC(s). That way - you can ensure the symmetric routing . In order for traffic to reach your FWs you would use a public LB - or you can even use an individual PIP on each firewall outside/untrust interfaces and configure your GP Portal to serve both FWs as GP gateways. If you do NOT want to SNAT - then the issue with asymmetric routing appears as you will need to have a reserved individual subnet for each of your firewalls - dedicated per firewall. This can become tricky when using auto-scale since they would need to have that information automatically configured at bootstrapping. If you would require some additional help in this case - I recommend you reach out to your local PANW contact or visit https://www.paloaltonetworks.com/company/contact-sales . I hope that clears up the scenario a bit! |
|
@aymanelbacha closing this issue for the moment |
We're looking to have Global protect enabled for A/A HA mode in front of an ALB, is it recommended.
what will be the behavior if autoscaled, any reference documents to be shared for such configuration
The text was updated successfully, but these errors were encountered: