https://live.paloaltonetworks.com/t5/next-generation-firewall/multiple-globalprotect-profiles-based-on-ldap-groups/m-p/514476#M377 <P>I have tried multiple searches, but can't seem to find the answer that I am looking for.&nbsp; I am migrating from Cisco ASA firewalls to a PA-440.&nbsp; The PA-440 is running PanOS 10.1.6-h6.&nbsp; On the Cisco we have multiple VPN profiles.&nbsp; Each profile has access to only specific networks and/or hosts.&nbsp; When you initiate a VPN session, you select the session that you need (usually based on job function). We you are connected, you only have access to the systems that you need.</P> <P>&nbsp;</P> <P>I have the PA-440 running mostly isolated.&nbsp; The management interface is connected to the LAN.&nbsp; I can connect a laptop to the WAN interface and connect to GlobalProtect using my domain credentials.&nbsp; If can browse my AD groups in Device &gt; User Identification &gt; Group Mapping Settings, and add a group.&nbsp;</P> <P>&nbsp;</P> <P>When I go into the Network &gt; GlobalProtect &gt; Gateways &gt; *mygateway* &gt; Agent &gt; *myagent* &gt; Config Selection Critia and try to add the mapped group in the Source User block Global protect stops workings.&nbsp; When I clock on Ok, it replaces the mapped group (domain\group) with the full LDAP bind string.</P> <P>&nbsp;</P> <P>What am I missing?</P> Fri, 09 Sep 2022 19:31:14 GMT darisb 2022-09-09T19:31:14Z https://live.paloaltonetworks.com/t5/next-generation-firewall/multiple-globalprotect-profiles-based-on-ldap-groups/m-p/514476#M377 <P>I have tried multiple searches, but can't seem to find the answer that I am looking for.&nbsp; I am migrating from Cisco ASA firewalls to a PA-440.&nbsp; The PA-440 is running PanOS 10.1.6-h6.&nbsp; On the Cisco we have multiple VPN profiles.&nbsp; Each profile has access to only specific networks and/or hosts.&nbsp; When you initiate a VPN session, you select the session that you need (usually based on job function). We you are connected, you only have access to the systems that you need.</P> <P>&nbsp;</P> <P>I have the PA-440 running mostly isolated.&nbsp; The management interface is connected to the LAN.&nbsp; I can connect a laptop to the WAN interface and connect to GlobalProtect using my domain credentials.&nbsp; If can browse my AD groups in Device &gt; User Identification &gt; Group Mapping Settings, and add a group.&nbsp;</P> <P>&nbsp;</P> <P>When I go into the Network &gt; GlobalProtect &gt; Gateways &gt; *mygateway* &gt; Agent &gt; *myagent* &gt; Config Selection Critia and try to add the mapped group in the Source User block Global protect stops workings.&nbsp; When I clock on Ok, it replaces the mapped group (domain\group) with the full LDAP bind string.</P> <P>&nbsp;</P> <P>What am I missing?</P> Fri, 09 Sep 2022 19:31:14 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/multiple-globalprotect-profiles-based-on-ldap-groups/m-p/514476#M377 darisb 2022-09-09T19:31:14Z https://live.paloaltonetworks.com/t5/next-generation-firewall/multiple-globalprotect-profiles-based-on-ldap-groups/m-p/514485#M378 <P>I'm playing around while I am waiting for answers and I am beginning to think maybe security policies based on LDAP user groups is the way to go.&nbsp; The only issue is I have a group that needs a different IP address then the rest of my users.&nbsp; It looked like they way to go was to create a special Agent in a Gateway Configuration but when I do that based on defined group mapping (LDAP) the VPN client won't connect.</P> Fri, 09 Sep 2022 22:51:14 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/multiple-globalprotect-profiles-based-on-ldap-groups/m-p/514485#M378 darisb 2022-09-09T22:51:14Z