Hi,
We are moving our global protect portal/gateway from existing Firewall to a New Firewall on a different site.Third party certificate is the one which we currently use as Root CA.So is it possible to use the same cert on the New Firewall ? Or do we need to obtain a new certificate for the New Firewall which will host GP portal and Gateway. I'm looking for some best practices to do it if the above can be done.
Okay thankyou
After you update the A record, agents will organically start connecting to the new gateway. Once the TTL has expired you can check which users are still connected to the old gateway and have them disconnect and reconnect. All others will automatically connect to the new gateway (only the ones that are still connected after the TTL expires should be requested to reconnect)
It can exist on both firewalls at the same time, no problem at all. The only thing that determines when the new firewall will start to receive connections is when you change the DNS record From that moment forwards agents will start gradually switching to the new firewall based on when they update their dns cache (this is why you should change the TTL to 1 hour, so that this grace period is shortened) At T+1 most agents will still have the old record and will still connect to the old gateway. By T+61 all agents will have the new record and new connections will happen to the new gateway. Existing connections will remain connected to the old gateway. You can choose to let those agents time out, or manually disconnect them. By the next day all agents should connect to the new gateway
You can check if any users are still connecting to the old gateway by checking the "remote users" in the gateway section. (There's no way to verify if the agent updated their DNS record) For your 2., Why would you wait? You can perfectly import the "old" configuration onto the new firewall (GlobalProtect config + certificates) and commit. This will work fully independently of the DNS record (this will even allow you to test the new portal by setting a record in the hosts file for the FQDN to the new IP)
Practically that means; -lowern the domain ttl to 1 hour (not a big issue if you can't do this) - set up the new site with identical config but new IP addresses - switch DNS to the new IP - wait for all/most agents to switch to the new gateway - once no connections persist in old site, dismantle it - set domain ttl back to 24h
We are using FQDN.
Are you using FQDN in the portal/gateway and certificates, or IP addresses? FQDN certificates can be reused by updating the DNS configuration to the new IP addresses If you're on IP addresses, you will need new cwrtificates