So you want to support all your remote uses in a secured and supportable client based VPN? I just deployed a VPN solution that supported 6300 clients across 40 departments using multiple authentication methods (across 4 pair of firewalls).
So, I learned that the Palo Alto 7080 can support a max of 40,000 concurrent GlobalProtect clients. And that a Palo Alto 5260 can do up to 60,000 on a single box (not that I would want to test that scale, but good to know)
Lessons learned:
Palo Alto remote access VPN docs are not very good because they don’t show end-to-end configurations. Each doc is focused on one small aspect of the configuration, but each feature may or may not work together in the end. The lack of docs on the details of how cookies are used and what information is carried in them during re-auth is a bit frustrating when the authentication needs to use AD/LDAP group matching to give users a specific set of IP addresses after authentication.
The GP (globalprotect) portal is not highly available (unlike gateways), and the methodology of using 1st gateway response time to assign clients does NOT allow for load balancing users across multiple gateways.
I was told that the GP client will cache the gateway information so if the portal is not reachable, the client can still connect, but I have not tested that yet.
