Would it be possible to use GlobalProtect VPN to connect to multiple locations simultaneously? If so, what would be the steps to achieve this? An external partner asked if this was possible, and I was curious.
Thanks!
You might want to look at Prisma access instead.
What other folks have said. Nope. One gateway at a time. What your network looks like behind that will govern what they can access.
In the case of Prisma Access, you have have a gateway connect to multiple service connections, which tunnel back to multiple locations (spokes to hubs basically)
I don’t think this is possible. Global Protect creates one virtual network adapter on your PC, which gives you an IP address based on the IP pool set on your Gateway. Hence you will be connected to one network only.
But I’ve only worked on it for a month, maybe someone else knows this is possible
Either backhaul your GP Gateways behind the scenes with IPsec Palo to Palo so any gateway can route to other Gateway LANs, or have your users select the Gateway they need for the LAN access from the drop-down list, or use clientless VPN and SSO + MFA, or setup multiple tunnels on the client to the IPsec at each gateway and just control the routing in Windows/Linux/etc at the client (NAT required if IP overlaps) - use GP Agent or Captive Portal for identity.
You can also set-up gateway preferences based on location / availability / identity.
You could make site-to-site VPN connections between the locations and then route over them. Bonus points if you set up multiple sites with GP and then use some kind of dynamic DNS for LB and fail-over.
Maybe I should quit my day job and just fix all these people’s problems? Anyone want to start a consulting business and just pick up clients on forms?
Look up Prisma this is what you’re after. Endpoints connect to Prisma (cloud) and you connect multiple other destinations into Prisma if needed via tunnels or cloud/on-orem on-ramp (VPN tunnels to exiting WAN edges), etc.
Beware current minimum license counts mandated by Palo (200 last I checked) and requirement for Panorama.
You can’t do this with a single client. When I was a consultant, I would create a virtual machine with the VPN client for each location I needed to connect to.
Not sure what the use case is but the short answer is no.
You could however set up GP on 3 firewalls, so you have redundant gateways, and then configure site to site tunnels, and restrict access to only the GP subnets.
If you need connectivity to and between multiple locations, sounds like you need to build the network first, then use the vpn client to connect to it.
no, GP puts you in 1 location so when you connect you are virtually talking from that location. The only difference is split tunnel so you can specify say public traffic goes out via your computer and corporate traffic goes over the tunnel.
Once you are connected to that GP, you should have your corp network designed in a way to access these other locations.
From multiple locations yes, to multiple gateway no. On client connects to one gateway.
However, I’m not sure to understand what you want to achieve. If you manage the different locations yourself, establish site to site vpn from the gp gateway to the different location. Your client will connect to the gateway, and the gateway will route the traffic to the other locations.
Also, depending on the goal, you can have one portal but with multiple gateway. Or multiple portal+gateway and the user can change manually.
This. The scenario you describe is more suited to a ZTNA type solution.
Panorama is no longer required. You have a cloud managed at your disposal 
When I was a consultant, I would create a virtual machine with the VPN client for each location I needed to connect to.
I do the exact same thing, one VM per client and then GP inside the VM along with the client data / bookmarks / etc. This also resolves the issue of the client restrictions on the GP Agent config locking the list of GP portals (also bypassed by modify the config file in the GP client config folder). This also means that if you are helping the client fix issues with broken policies that you can still share your screen with Teams / Webex / etc as your host isn’t going through their network - only the client VM. Really easy to wipe the VM and sanitize the client data at the end of a project and to spin up a new VM for a new client from a patched and updated reference VM, or to run multiple VMs at once and be on multiple networks while still screen sharing / creating as-built documentation.
Thanks, I offered this suggestion to the external consultant.
Seemed the least hassle, and it’s just for a short period.