https://live.paloaltonetworks.com/t5/general-topics/globalprotect-authentication-problem/m-p/34984#M25684 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>Yes, we needed to associate the tunnel interface with its own zone rather than the trusted zone.&nbsp; As you stated, this modification now allows additional and needed granularity.&nbsp; </P><P></P><P>There are still two comments/questions, though not critical:</P><P></P><P>1.&nbsp; I was obliged to add a Client Configuration in the GlobalProtect portal, citing an AD group and external gateway IP.&nbsp; Without this, I was getting this error after compiling:&nbsp; </P><P></P><P>Config commit phase 1 aboreted (Module: device)</P><P>missing both client config and satellite config</P><P>(Module: sslvpn)</P><P>Commit failed</P><P></P><P>2. I can still connect to the portal FQDN and authenticate with ANY account in the AD to download the GlobalProtect client.&nbsp; Thanks to the new rules, it is now not possible to authenticate with ANY account in the AD from GlobalProtect - it is necessary to have an account in the designated allowed group.&nbsp; In any case, shouldn't the authentication be denied when connecting to the portal FQDN and before being able to download the globalprotect MSI?</P><P></P><P>Best regards</P></BODY></HTML> Tue, 15 Jul 2014 09:01:07 GMT TheBest 2014-07-15T09:01:07Z https://live.paloaltonetworks.com/t5/general-topics/globalprotect-authentication-problem/m-p/34980#M25680 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P></P><P>The group I use to authenticate GP connections doesn't work properly.</P><P></P><P></P><P><SPAN>I followed the advice on this thread:&nbsp; </SPAN><A class="jive-link-thread-small" data-containerid="2004" data-containertype="14" data-objectid="8661" data-objecttype="1" href="https://live.paloaltonetworks.com/thread/8661">https://live.paloaltonetworks.com/thread/8661</A></P><P></P><P></P><P>It was necessary to place the NETBIOS domain name in the LDAP server profile.&nbsp; Output from the CLI now clearly displays the logon format with domain\user, unlike before, for GP clients.</P><P></P><P></P><P>The GP Portal specifically sites the group allowing VPN connections in the Agent COnfiguration section.&nbsp; Yet, I can still logon with an account that is in the AD but not in that group.</P><P></P><P></P><P>Why is this happening?&nbsp; What is the best practice to limit who can connect via GP?</P><P></P><P></P><P>Follow-up question:&nbsp; Is it possible to deploy new GP clients to a group of test users?</P><P></P><P></P><P>Thanks for your help!</P></BODY></HTML> Mon, 07 Jul 2014 15:18:51 GMT https://live.paloaltonetworks.com/t5/general-topics/globalprotect-authentication-problem/m-p/34980#M25680 TheBest 2014-07-07T15:18:51Z https://live.paloaltonetworks.com/t5/general-topics/globalprotect-authentication-problem/m-p/34981#M25681 <HTML><HEAD></HEAD><BODY><P>Hello <A href="https://live.paloaltonetworks.com/u1/12736">TheBest</A>,</P><P></P><P>I would remove the AD group from the agent configuration and would use it in a security rule. For example, if your tunnel belongs to a zone called 'GP-VPN', I would create a security rule from 'GP-VPN' to 'Trust' and leverage the user-group feature in the 'source user' column of that policy and then test.</P><P></P><P>Hope that helps!</P><P></P><P></P><P>Thanks and regards,</P><P>Kunal Adak</P></BODY></HTML> Mon, 07 Jul 2014 16:37:12 GMT https://live.paloaltonetworks.com/t5/general-topics/globalprotect-authentication-problem/m-p/34981#M25681 kadak 2014-07-07T16:37:12Z https://live.paloaltonetworks.com/t5/general-topics/globalprotect-authentication-problem/m-p/34982#M25682 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>OK, so it appears that the AD group in the agent configuration would be mainly to target a group for a specific configuration of the agent.&nbsp; Therefore, this parameter has nothing to do with security and access filtering.&nbsp; Still, using this method, I don't think its possible to target a specific group for a newer version of GP client.&nbsp; I think the only way may be to deploy the MSI via GPO.</P><P></P><P>Your idea is a good one but won't work currently with my configuration.&nbsp; The security zone for the VPN tunnel is already "Trust".&nbsp; This explains why we have no granularity and clearly reduces security.&nbsp; However, the physical interface connection to the internet is in the zone "Untrust".&nbsp; It looks like there is a 1:1 relationship between the physical interface and a zone.&nbsp; So, it looks like I would have to change the VPN tunnel zone from "Trust" to "Untrust" and then add the policy as you suggested, right?&nbsp; Otherwise, is it possible to have multiple zones linked to one physical interface?&nbsp; In that case the interface to the outside would include "Untrust" and a new zone "GP-VPN"?</P><P></P><P>Thanks for your valuable help!</P></BODY></HTML> Tue, 08 Jul 2014 06:46:32 GMT https://live.paloaltonetworks.com/t5/general-topics/globalprotect-authentication-problem/m-p/34982#M25682 TheBest 2014-07-08T06:46:32Z https://live.paloaltonetworks.com/t5/general-topics/globalprotect-authentication-problem/m-p/34983#M25683 <HTML><HEAD></HEAD><BODY><P>Hello <A href="https://live.paloaltonetworks.com/u1/12736">TheBest</A>,</P><P></P><P>You can have multiple interfaces of same type (L2/ L3/ Vwire) in one zone, but cannot tie multiple zones to one interface. Having said that, it was always a best practice to associate the tunnel interface to its own zone - something like GP-VPN and then configure a security rule from GP-VPN to Trust and GP-VPN to Untrust. In that way, you not only have more control over the traffic but you can also turn on PAN's IDS/IPS feature by applying AV, anti-spyware, anti-vulnerability, URL-filtering and data filtering profiles.</P><P></P><P></P><P>Thanks and regards,</P><P>Kunal Adak</P></BODY></HTML> Tue, 08 Jul 2014 14:26:08 GMT https://live.paloaltonetworks.com/t5/general-topics/globalprotect-authentication-problem/m-p/34983#M25683 kadak 2014-07-08T14:26:08Z https://live.paloaltonetworks.com/t5/general-topics/globalprotect-authentication-problem/m-p/34984#M25684 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>Yes, we needed to associate the tunnel interface with its own zone rather than the trusted zone.&nbsp; As you stated, this modification now allows additional and needed granularity.&nbsp; </P><P></P><P>There are still two comments/questions, though not critical:</P><P></P><P>1.&nbsp; I was obliged to add a Client Configuration in the GlobalProtect portal, citing an AD group and external gateway IP.&nbsp; Without this, I was getting this error after compiling:&nbsp; </P><P></P><P>Config commit phase 1 aboreted (Module: device)</P><P>missing both client config and satellite config</P><P>(Module: sslvpn)</P><P>Commit failed</P><P></P><P>2. I can still connect to the portal FQDN and authenticate with ANY account in the AD to download the GlobalProtect client.&nbsp; Thanks to the new rules, it is now not possible to authenticate with ANY account in the AD from GlobalProtect - it is necessary to have an account in the designated allowed group.&nbsp; In any case, shouldn't the authentication be denied when connecting to the portal FQDN and before being able to download the globalprotect MSI?</P><P></P><P>Best regards</P></BODY></HTML> Tue, 15 Jul 2014 09:01:07 GMT https://live.paloaltonetworks.com/t5/general-topics/globalprotect-authentication-problem/m-p/34984#M25684 TheBest 2014-07-15T09:01:07Z