External Gateway Priority by Source Region
GlobalProtect can now use the geographic region of the GlobalProtect client to determine the best external gateway. By including source region as part of external gateway selection logic, you can ensure that users connect to gateways that are preferred for their current region. This can help avoid distant connections when there are momentary fluctuations of network latency. This can also be used to ensure all connections stay within a region if desired.
This feature is not supported for IPv6 connections. Also, identifying the region for the connecting endpoint may not be reliable if a proxy server is used for the portal connection or if the firewall performs a source NAT on the traffic to the portal.
- Define a GlobalProtect Agent Configuration .
- On the External tab, click Add for External Gateways.
- Add one or more Source Regions for the gateway, or select Any to make the gateway available to all regions. When users connect, GlobalProtect recognizes the device region and only allows uses to connect to gateways that are configured for that region. GlobalProtect prioritizes the source region first, and then considers gateway priority.
- Set the Priority of the gateway:If you have only one external gateway, you can leave the value set to Highest (default).If you have multiple external gateways, you can modify the priority values (ranging from Highest to Lowest) to indicate a preference for the specific user group to which this configuration applies. For example, if you prefer that the user group connects to a local gateway you would set the priority higher than that of more geographically distant gateways. The priority value is then used to weight the agent’s gateway selection algorithm.If you do not want agents to automatically establish tunnel connections with the gateway, select Manual only. This setting is useful in testing environments.
- Save the agent configuration.
- Click OK twice
- Commit your changes.