https://live.paloaltonetworks.com/t5/globalprotect-discussions/global-protect-separate-vendors-and-employees/m-p/597184#M5784 <P>Good day,</P> <P>&nbsp;</P> <P>Thank you for the reply; vendors have AD accounts and are also setup with Duo and in a specific group to differentiate between employees and vendors.</P> <P>I am not adept at Entra, I would need to get an NA involved for any configuration there, but it seems you are saying there should a way to enforce device compliance for employees and then allows the vendor group to connect by making it compliant?</P> <P>&nbsp;</P> <P>Sorry if I worded that badly.</P> <P>Thanks</P> Fri, 06 Sep 2024 16:09:04 GMT ChuckW 2024-09-06T16:09:04Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/global-protect-separate-vendors-and-employees/m-p/596793#M5774 <P>Setup:</P> <P>We have one GP portal and one gateway currently, used by employees and vendors.</P> <P>All GP users are authenticated with Entra and Duo MFA.</P> <P>We are using a public cert. for the FQDN and a single IP in the current setup.</P> <P>Vendors are assigned to a different subnet than employees when connecting to GP.</P> <P>&nbsp;</P> <P>Change:</P> <P>We want to use the Entra authentication profile to force employees to only use AD-joined devices that are compliant, this feature is available as part of the Entra authentication configuration and would deny connections if the device did not meet the criteria.</P> <P>&nbsp;</P> <P>If we turn this on, vendors would not be able to connect with their company's laptop or devices.</P> <P>&nbsp;</P> <P>What is the best way to separate out employees and vendors?</P> <P>&nbsp;</P> <P>Should we stand up a new portal and gateway just for vendors and copy the current settings over and create a new Entra profile that does not limit the device?</P> <P>Can we assign by AD group membership, a new, different Entra profile (create a new one for vendors) and use the existing GP setup with minimal modification?</P> <P>&nbsp;</P> <P>I am looking for the least complicated way of allowing vendors to connect to GP and restrict employees to the Entra restrictions for devices.</P> <P>&nbsp;</P> <P>Thank you</P> <P>&nbsp;</P> <P>&nbsp;</P> Wed, 04 Sep 2024 19:31:10 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/global-protect-separate-vendors-and-employees/m-p/596793#M5774 ChuckW 2024-09-04T19:31:10Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/global-protect-separate-vendors-and-employees/m-p/597183#M5783 <P>Hello,</P> <P>&nbsp;</P> <P>How are you currently identifying vendors within Entra? If you have a vendor group you should be able to add that group to the conditional access in Entra to allow them to still be "compliant".</P> Fri, 06 Sep 2024 15:59:08 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/global-protect-separate-vendors-and-employees/m-p/597183#M5783 Claw4609 2024-09-06T15:59:08Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/global-protect-separate-vendors-and-employees/m-p/597184#M5784 <P>Good day,</P> <P>&nbsp;</P> <P>Thank you for the reply; vendors have AD accounts and are also setup with Duo and in a specific group to differentiate between employees and vendors.</P> <P>I am not adept at Entra, I would need to get an NA involved for any configuration there, but it seems you are saying there should a way to enforce device compliance for employees and then allows the vendor group to connect by making it compliant?</P> <P>&nbsp;</P> <P>Sorry if I worded that badly.</P> <P>Thanks</P> Fri, 06 Sep 2024 16:09:04 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/global-protect-separate-vendors-and-employees/m-p/597184#M5784 ChuckW 2024-09-06T16:09:04Z