How to configure a global protect so that they user choose which VPN profile/group to connect?

Dereje — Fri, 17 Sep 2021 01:04:42 GMT

As part of migrating from AnyConnect VPN to Global Protect remote access VPN: -

Use Case:

We are using Azure AD for authentication and the GlobalProtect authentication profile is configured to use Azure AD for SSO authentication;

We want remote users to use GlobalProtect remote access VPN to access enterprise data center resources;

A GlobalProtect Portal and GlobalProtect Gateway is configured on a pair of PA5260 firewalls in HA;

Each Active Directory user group has its own VPN profile, where each VPN profile has its own assigned IP pool;

When members of the group connect to the VPN, they should be getting IP addresses only from the ranges assigned to the pool;

We have users that are a member of multiple Active Directory groups (which means a user can be a member of multiple VPN profiles);

When a user connects to different VPN profile, the user should get IP address from the designated pool;

We want to accomplish:

The firewall rules on the data center firewalls are set up to permit or deny users based on the IP pool assigned to the VPN profiles (basically based on the group in Active Directory).

In the GlobalProtect configuration, how do we make users choose which VPN profile/Group to associate while they are establishing VPN connection?

I might not explaining the problem very well here, but please let me know if you have any question.

Thank you

Re: How to configure a global protect so that they user choose which VPN profile/group to connect?

TomYoung — Fri, 17 Sep 2021 02:06:15 GMT

Hi @Dereje ,

What you are describing is a very standard way of doing things with Cisco AnyConnect. Because GlobalProtect (GP) users are automatically added to User-ID (the NGFW knows their name and IP at login), the firewall rules do not have to permit or deny users based on the IP pool. You can replace the IP pools in the firewall rules with user groups. In that way, if a user is a member of multiple groups, they will match multiple rules and have all the access they need without having to select (or change) a profile. The only piece you need to add (if you haven't done so already) is group mapping via LDAP or the Cloud Identity Engine (PAN-OS 10.1). For group mapping, make sure you configure the Primary Username under User Attributes because it will standardize the format of users so that it is consistent across multiple User-ID sources.

You can assign separate IP pools based upon groups under the GP gateway > Agent > Client Settings, but I do not know how users can select their own "profile."

Thanks,

Tom

topic Re: How to configure a global protect so that they user choose which VPN profile/group to connect? in GlobalProtect Discussions

How to configure a global protect so that they user choose which VPN profile/group to connect?

Re: How to configure a global protect so that they user choose which VPN profile/group to connect?