https://live.paloaltonetworks.com/t5/globalprotect-discussions/separate-ip-pool-config-for-two-departments-when-connecting-to/m-p/521470#M3433 <P>You can use Config Selection Criteria under the Gateway Agent configuration to select a different Gateway profile with a different IP pool, based on user. But I am not sure if you can extend that to groups... so it may be a bit of a management headache to do per user.</P> <P>&nbsp;</P> <P>Alternatively, you could create another gateway and then send the first department to the first gateway and the second department to the second gateway via the Portal Agent configuration. That allows Config Selection Criteria based on user and/or user group. But you would need the PA integrated with your AD to be able to poll the user's group.</P> Wed, 16 Nov 2022 21:41:01 GMT Adrian_Jensen 2022-11-16T21:41:01Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/separate-ip-pool-config-for-two-departments-when-connecting-to/m-p/521387#M3432 <P>&nbsp;Is it possible to assign two different IP pools for two departments on one gateway, when the users connect to Global Protect VPN.?</P> <P>Note: We don't have On-Prem ldap server to config User identification &amp; group-mapping on firewall. We are using Azure AD. The client authentication is happening via SAML auth.</P> Wed, 16 Nov 2022 11:48:29 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/separate-ip-pool-config-for-two-departments-when-connecting-to/m-p/521387#M3432 HCLCNNSecurity 2022-11-16T11:48:29Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/separate-ip-pool-config-for-two-departments-when-connecting-to/m-p/521470#M3433 <P>You can use Config Selection Criteria under the Gateway Agent configuration to select a different Gateway profile with a different IP pool, based on user. But I am not sure if you can extend that to groups... so it may be a bit of a management headache to do per user.</P> <P>&nbsp;</P> <P>Alternatively, you could create another gateway and then send the first department to the first gateway and the second department to the second gateway via the Portal Agent configuration. That allows Config Selection Criteria based on user and/or user group. But you would need the PA integrated with your AD to be able to poll the user's group.</P> Wed, 16 Nov 2022 21:41:01 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/separate-ip-pool-config-for-two-departments-when-connecting-to/m-p/521470#M3433 Adrian_Jensen 2022-11-16T21:41:01Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/separate-ip-pool-config-for-two-departments-when-connecting-to/m-p/521559#M3437 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/204857">@HCLCNNSecurity</a> ,</P> <P>&nbsp;</P> <P>The easiest way to accomplish what you want is to use the Config Selection Criteria under the Network &gt; GlobalProtect &gt; Gateways &gt; Agent &gt; Client Settings as <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/184804">@Adrian_Jensen</a> mentioned.&nbsp; It does support groups, but only LDAP, and you were clear that you did not have LDAP, only SAML.&nbsp; If you want it working today, you can add each user to your 2 Client Settings (1 for each subnet).&nbsp; If you don't have that many users, it shouldn't take too long.</P> <P>&nbsp;</P> <P>I have to ask the question, "What do you want to use the separate IP pools for?"&nbsp; If it is for the security policy, may I suggest configuring the users there instead?&nbsp; That would save the step of configuring the gateway.</P> <P>&nbsp;</P> <P>Another thing you could try is to create 2 Dynamic User Groups for each department.&nbsp; You could manually assign the users the tags under Objects &gt; Log Forwarding &gt; Add &gt; Log Type = auth &gt; Filters.&nbsp; The tags would match the DUGs.&nbsp; You could then use the DUGs in the security policy, gateway client setting, or both.</P> <P>&nbsp;</P> <P>I know!&nbsp; This could be a lot of work!&nbsp; The best solution would be group mapping to support SAML as many customers are moving to Azure AD.&nbsp; Another alternative if you want to query Azure AD via LDAP is to purchase Azure AD Domain Services or perhaps build a DC with Azure AD Connect.</P> <P>&nbsp;</P> <P>Thanks,</P> <P>&nbsp;</P> <P>Tom</P> Thu, 17 Nov 2022 17:43:17 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/separate-ip-pool-config-for-two-departments-when-connecting-to/m-p/521559#M3437 TomYoung 2022-11-17T17:43:17Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/separate-ip-pool-config-for-two-departments-when-connecting-to/m-p/521632#M3440 <P>Hi Tom,</P> <P>&nbsp;</P> <P>One of the departments is using an application which require directional policy connection like from Trust Zone to GlobalProtect Zone &amp; vice-versa. So, we don't want to allow the traffic from Trust to Global protect for all departments. It's better to allow this for that One department only.</P> Fri, 18 Nov 2022 06:54:15 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/separate-ip-pool-config-for-two-departments-when-connecting-to/m-p/521632#M3440 HCLCNNSecurity 2022-11-18T06:54:15Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/separate-ip-pool-config-for-two-departments-when-connecting-to/m-p/521716#M3442 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/204857">@HCLCNNSecurity</a> ,</P> <P>&nbsp;</P> <P>Very cool.&nbsp; So you could do it through separate IP addresses or just put the users in the security policy.&nbsp; I wonder if Cloud Identity Engine would be able to get your Azure AD groups?&nbsp; <A href="https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-new-features/identity-features/cloud-identity-engine" target="_blank">https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-new-features/identity-features/cloud-identity-engine</A>&nbsp; I haven't used it yet.</P> <P>&nbsp;</P> <P>Thanks,</P> <P>&nbsp;</P> <P>Tom</P> Fri, 18 Nov 2022 18:22:54 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/separate-ip-pool-config-for-two-departments-when-connecting-to/m-p/521716#M3442 TomYoung 2022-11-18T18:22:54Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/separate-ip-pool-config-for-two-departments-when-connecting-to/m-p/536663#M3844 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/204857">@HCLCNNSecurity</a> - Just curious, what did you end up doing to accomplish this task?&nbsp; I am having a similar issue.&nbsp; I am using SAML and I have an "any" user config which works fine.&nbsp; But I am trying to add a more restrictive config above that one, which contains specific users or groups, and cannot get it to work. I see that Security Policy might be the way to go according to Tom...</P> Mon, 27 Mar 2023 20:37:43 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/separate-ip-pool-config-for-two-departments-when-connecting-to/m-p/536663#M3844 tamerfahmy 2023-03-27T20:37:43Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/separate-ip-pool-config-for-two-departments-when-connecting-to/m-p/576943#M4957 <P>Hi... Yes with SAML you can (or must) go via Idendity Engine. We build it in our company that way. You get the Assigned Groups then via CIE...</P> Sun, 11 Feb 2024 19:02:45 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/separate-ip-pool-config-for-two-departments-when-connecting-to/m-p/576943#M4957 ThomasZetzsche 2024-02-11T19:02:45Z