topic Re: Allow only certain users through VPN Security Policy in General Topics

Allow only certain users through VPN Security Policy

Pras — Wed, 11 May 2022 06:38:50 GMT

Hi All,

How can I allow only certain users to use this policy from below? I am not able to do so at the moment using a local database (is it not achievable with a local database?). Currently, only when choosing 'any' will allow traffic through.

@BPry

Re: Allow only certain users through VPN Security Policy

aleksandar.astardzhiev — Wed, 11 May 2022 14:38:28 GMT

Hi @Pras ,

Just to clarify:

- Users are able to connect to GlobalProtect (GP clients says "connected"), but no traffic is allowed?

- Stupid question but - you are sure that the local users are addedd to the local user group?

I would suggest to check the following:

- Connect the user with GP

- Connecting with SSH to FW, use the following command to list ip-to-user mapping.

> show user ip-user-mapping

- Find what IP address is associated with the test user that is currently connected to GP and check details for this IP

> show user ip-user-mapping ip <ip-address>

- Do you see anything listed under Grourp(s) in the output?

Re: Allow only certain users through VPN Security Policy

BPry — Thu, 12 May 2022 01:27:56 GMT

@Pras,

Can you describe you actual configuration a bit more? Do the users authenticate too VPN with the local users? If they utilize the local users to authenticate to the VPN, as long as you have user-id enable on your VPN zone (and do make sure you do), then this should work without any issues.

From what you've described you either aren't authenticating to the VPN as these local users so they aren't mapping, or you simply don't have your VPN security zone User-ID enabled (or included in your include networks).