topic GlobalProtect - blocking single user account in General Topics

GlobalProtect - blocking single user account

aceandy79 — Thu, 21 Jul 2016 09:15:38 GMT

We want to use an authentication profile that matches against a fairly generic LDAP AD group in the Allow list tab. Is there a way of creating exceptions to the allow list for blocking individual user accounts from using the service, should we need to at any stage?

Re: GlobalProtect - blocking single user account

OtakarKlier — Mon, 25 Jul 2016 15:59:25 GMT

Hello,

If I understand your inquiry correctly, yes you can block a single user. You would obviously need to have one of the user-id options available so scan for that users id. When it comes to the policies, make the more specific one higher prirority than the general one.

Example:

Security policy to block the single user

Security policy to allow everyone else

I hope this helps.

Cheers!

Re: GlobalProtect - blocking single user account

BPry — Mon, 25 Jul 2016 18:25:28 GMT

Otakar.Klier is correct; as long as you have the deny entry further above your allow entry then it would work perfectly fine and any user-id identified in your deny list is denied.

Re: GlobalProtect - blocking single user account

aceandy79 — Tue, 26 Jul 2016 14:40:33 GMT

Hi, yes I agree a security policy rule using the User-ID column can be used to block the traffic of a connected client, but the key here is that would only take effect after they've connected. What I was hoping to be able to achieve is to prevent a specific user authenticating in the first place, who is a member of the larger AD group referenced in the Allowed List.

As far as I can tell, the initating packets to set up the IPSec tunnel do not include a User-ID at this point, you only start seeing that column populated after the tunnel is established.

Re: GlobalProtect - blocking single user account

OtakarKlier — Tue, 26 Jul 2016 17:06:02 GMT

Hello,

So you do not wish for them to connect to the VPN? Perhaps I am not understanding your question properly.

Please advise,

Re: GlobalProtect - blocking single user account

BPry — Tue, 26 Jul 2016 18:13:12 GMT

Okay, then you would need to take them out of your authentification profile under the object tab. Under your LDAP/Radius/Whatever server there is an allow list under the advanced options. It might be worth making a VPN-Allow AD group and putting anyone who needs VPN access under that group, this would keep anybody that is not in that specific AD group access to the VPN gateway.

To my understanding their is no way to do a 'not' statement under this option.