topic Re: How to bound an ACL to GP VPN client in General Topics

How to bound an ACL to GP VPN client

Kalemegdan — Mon, 27 Jun 2016 22:25:07 GMT

Hello
i have a need to provide a contractor with VPN access to certain resource on internal network (let’s call them 10.20.1.0/24)

I have a working VPN GP/Portal and contractor can connect to VPN with no issue. But contractor is allowed to access all internal resources not just 10.20.1.0/24

I have setup a GP policy (allow access from VPN zone to internal zone, destination 10.20.1.0/24 only), put that policy above generic VPN (allow all) and when user logs in, this policy is not hitting; instead default policy (which will allow al AD users to login) is utilized.

We are using MFA for authentication, AD has user contractor created, all looks fine. For testing i created another GP portal with local authentication, put user into local group and he is able to conenct but still not prevented from accessing internal resources.

The question is - how can i bound a ACL into VPN access policy? I know in other vendors it was mater of assigning ACL to VPN profile that can get pushed down to the user when they connect to VPN.

Apprecaite valuable inputs.

Re: How to bound an ACL to GP VPN client

Raido_Rattameister — Tue, 28 Jun 2016 06:24:10 GMT

Usually companies have 2 AD groups.

VPN Users

VPN Users third party

Policy that permits traffic from Globalprotect zone to LAN has only VPN Users group attached.

VPN Users third party has no default access to lan (ok maybe towards domain controller to auth and resolve dns).

And then you add specific sec policies to every contractor who needsd access to your network.

In your case it might be temporary step to create top rule to allow from this user to access resource you need and second rule below it to block anything else from that user (don't forget to put his username to user field).

If you have 0.0.0.0/0 route towards your network then you probably want to allow contractor to access wan zone aswell not to cut his internet 🙂

Re: How to bound an ACL to GP VPN client

Kalemegdan — Tue, 28 Jun 2016 14:59:03 GMT

I do have a vpn access rule, kind of a generic, that covers all users (COMMON-SSL-VPN). Unfortunatelly contractor can login and can access all internal resources and rule actually does not hit... I even tried the rule using locally cretaed user (changed authentication accordingly) with the same results - contractor can access all resources.

Re: How to bound an ACL to GP VPN client

Raido_Rattameister — Tue, 28 Jun 2016 16:39:36 GMT

Those destinations that you covered with black box.

Are they address objects?

They have 0 at the end so I assume they have some subnetmask also set?

Re: How to bound an ACL to GP VPN client

Kalemegdan — Tue, 28 Jun 2016 16:40:48 GMT

Well, it is kind of hard to grasp to the logic that i need to create a deny rule to everything else in order to limit access to certain resources, as a separate policy. Anyhow, thanks for your suggestion, i managed to get it going by following your suggestion, moving two VPN policies (allow, deny) above a common policy, and applying it to contractor's AD username.

Thanks