topic Seperate policy for IPSec VPN and SSL VPN? in General Topics

Seperate policy for IPSec VPN and SSL VPN?

BrutalDismount — Wed, 11 Jan 2012 02:54:53 GMT

So I would like to have different policies based upon what device a user comes in from. If they use Globalprotect with HIP checking, they are given a less restrictive policy. Where as if they come from an iphone with ipsec, they are given a more restrictive policy. Both ipsec and SSL are hitting the same GP gateway. I see no way to differentiate the sessions other then creating a new gateway for logical segmentation and only alow SSL on one GW and only allow IPSec on the other. I would like to maintain the single gateway if possible. Anyone have any suggestions?

Re: Seperate policy for IPSec VPN and SSL VPN?

mikand — Wed, 11 Jan 2012 07:39:02 GMT

Setting up a new VSYS should do this as you already explained (one who only accepts IPSEC the other only accepts SSL).

Otherwise, cant you in the hipsprofile define which device the client is using?

Or cannot one use different zones, one zone for ipsecclients and one for sslclients?

Another method would be if you place the hardware devices in different AD-groups and by that create policies (only allow AD_IPSEC and not AD_SSL and the other way around per security policy).

Re: Seperate policy for IPSec VPN and SSL VPN?

kbrazil — Wed, 11 Jan 2012 08:53:38 GMT

Hi there,

Can't this be done just the way you describe with a normal Security Policy?

One policy rule checks for HIP state... if a client matches then this rule allows less restricted access
A following policy rule only allows more restricted access. All other users/devices that did not send HIP information will match this more restrictive rule.

Cheers,

Kelly

Re: Seperate policy for IPSec VPN and SSL VPN?

mikand — Wed, 11 Jan 2012 10:03:55 GMT

Dunno if that might work... keep in mind that PA is like most firewalls top-down first-match (only ACL's which doesnt do that, which I have found so far, is the ipf/pf from *BSD and the ACL engine in Allied Telesyn equipment (I think AT changed into Cisco-style in their latest hardware releases but there are still a few AT devices which isnt the latest models still out there).

But sure if your SSL clients wont hit the rule containing hipprofile then they will hopefully hit the following rule without the hipprofile.

The problem here is what to do with your IPSEC clients (iphones etc) that should hit the hipprofile but for some reason fails the hip control?

Re: Seperate policy for IPSec VPN and SSL VPN?

kbrazil — Wed, 11 Jan 2012 10:34:22 GMT

The Iphones will never hit the HIP rule since there is no native Global Protect client for them today. They will automatically get the more restrictive rule that does not contain the HIP match criteria.

Cheers,

Kelly

Re: Seperate policy for IPSec VPN and SSL VPN?

BrutalDismount — Wed, 11 Jan 2012 12:35:03 GMT

Indeed that is the problem. How do you differentiate the GP SSL client that fails HIP check, with the IPSec client? From what I know, there is no way for an IPSec client to pass a HIP check or policy match rule.

Re: Seperate policy for IPSec VPN and SSL VPN?

skrall — Fri, 20 Jan 2012 20:42:58 GMT

Can you use 2 different Loopback interfaces and IP addresses and create 2 zones (IPSEC and SSL) then differentiate rules based on zones?

Steve Krall

Re: Seperate policy for IPSec VPN and SSL VPN?

Quinton — Sat, 15 Sep 2012 18:24:08 GMT

Works great as skrall mentioned. Create another GP interface for the Windows/MAC based GP clients. If you have spare public IP's add them as /32 loopback interfaces and use them in the second GP config.