topic Re: Assigning a static IP to a Global Protect user in GlobalProtect Discussions

Assigning a static IP to a Global Protect user

Steve27596 — Fri, 12 Nov 2021 15:40:58 GMT

Is there a way to assign a static IP to a global protect user? I have a couple security policies that specify userids in the source, but the policies are not getting picked up. They are dropping to the default deny. I verified that the userid shown on the traffic monitor matches the rule, but it is not working. I was thinking that if I 'assigned' an IP to them when they connected via Global Protect I can write the rule using their source IP.

Thanks,

Steve

Re: Assigning a static IP to a Global Protect user

BPry — Mon, 15 Nov 2021 04:34:53 GMT

@Steve27596,

I'd personally be looking at fixing the user-id policy issue. If the logs are showing the user properly than outside of a bug something else in your policy is causing it to not match properly.

As for a static assignment there is actually two ways to do this:

Registry reserved-ipv4 reserved-ipv6 options

Framed-IP-Address Attribute

Personally, I would recommend going the Framed-IP-Address method if you are looking for static IP assignments. It's easier to maintain and you don't need to be monkeying around with the registry on every machine the user possibly uses, you just assign the machine object or the user a dial-in static address and be done with it.

Re: Assigning a static IP to a Global Protect user

camchatwebcam — Tue, 16 Nov 2021 05:29:07 GMT

It's impossible to protect an environment unless you know where users will and will not require access to. I'm a strong believer in the concept of least authority. This means that I'll only provide access to the areas that are absolutely necessary. If they do not need it now , but they might need it in the future then give it in the future. Allowing access to more users than completely necessary will expose you up to security risks which are best left secure.

In addition, using a specific zone only for VPN users is beneficial as well. While you can utilize an existing zone and subnet creating VPN users in their own subnet and zone is a way to make the security and security of users easier to manage and allows you to be more precise in your security.

My experience has observed that it's easier to use a subnet that is specifically designed for your users when setting up VPN access. Try to set up a subnet set up in an existing zone will be problematic at the very least.

Re: Assigning a static IP to a Global Protect user

nazmul1553 — Sun, 25 Sep 2022 04:24:59 GMT

Dear, Steve27596,

Please use LDAP authentication with global protect and assing static IP in your LDAP user dial option.