SSL VPN - DHCP Relay and Deny lists

jdorland — Tue, 23 Feb 2010 20:32:50 GMT

Is there a way to configure the SSL VPN to rely on DHCP relay instead of using it's own internal IP pool? I thought enabling it on the public interface might work, but I don't really like the thought of anyone in that same segment getting one of our private IP addresses.

Also, is there a way to explicitly deny a user or group access to the SSL VPN even if they are a member of an allowed group?

Re: SSL VPN - DHCP Relay and Deny lists

swhyte — Tue, 23 Feb 2010 22:00:25 GMT

You asked:

Is there a way to configure the SSL VPN to rely on DHCP relay instead of using it's own internal IP pool?

Currently, there is no way to do this on the Paloalto device.

You asked:

Also, is there a way to explicitly deny a user or group access to the SSL VPN even if they are a member of an allowed group?

Yes you can. Simply make note of the zone that you have placed the tunnel interface for the ssl vpn. Then you can create deny policies with that zone as the destination zone and identify corresponding source zones, source users, source ips that you would like to deny access to the ssl vpn portal......basically, the same way that create any other deny policy.

topic SSL VPN - DHCP Relay and Deny lists in General Topics

SSL VPN - DHCP Relay and Deny lists

Re: SSL VPN - DHCP Relay and Deny lists