https://live.paloaltonetworks.com/t5/general-topics/limting-globalprotect-client-access-via-ip-address/m-p/150467#M49958 <P>Hi Craig,</P><P>&nbsp;</P><P>No such option exists yet. The only thing (and is broader than what's asked) would be to allow select few IPs in the Security policies but it wouldn't have a user&lt;--&gt;IP pairing.</P><P>&nbsp;</P><P>Regards,</P><P>Anurag</P><P>&nbsp;</P> Thu, 30 Mar 2017 20:02:20 GMT ansharma 2017-03-30T20:02:20Z https://live.paloaltonetworks.com/t5/general-topics/limting-globalprotect-client-access-via-ip-address/m-p/150398#M49944 <P>Is there a way to allow specific GlobalProtect users to only connect from specific public IP addresses? &nbsp;For example say I only wanted to allow user1 to connect from IP address 1.1.1.1, and if user1 connects from any other public IP address, or&nbsp;if user2 is trying to access from 1.1.1.1, to have that access be denied?</P><P>&nbsp;</P> Thu, 30 Mar 2017 13:54:39 GMT https://live.paloaltonetworks.com/t5/general-topics/limting-globalprotect-client-access-via-ip-address/m-p/150398#M49944 craig.brooker 2017-03-30T13:54:39Z https://live.paloaltonetworks.com/t5/general-topics/limting-globalprotect-client-access-via-ip-address/m-p/150466#M49957 <P>I can't really think of a clean way of doing this. The only way that you could limit the public IP to my knowledge is limit who can connected to a specified gateway and then assign the required public IP an access policy that would allow only them to get to the gateway IP. This of course would mean that you would have to have a gateway for any user that you wished to limit in this way.&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 30 Mar 2017 20:00:11 GMT https://live.paloaltonetworks.com/t5/general-topics/limting-globalprotect-client-access-via-ip-address/m-p/150466#M49957 BPry 2017-03-30T20:00:11Z https://live.paloaltonetworks.com/t5/general-topics/limting-globalprotect-client-access-via-ip-address/m-p/150467#M49958 <P>Hi Craig,</P><P>&nbsp;</P><P>No such option exists yet. The only thing (and is broader than what's asked) would be to allow select few IPs in the Security policies but it wouldn't have a user&lt;--&gt;IP pairing.</P><P>&nbsp;</P><P>Regards,</P><P>Anurag</P><P>&nbsp;</P> Thu, 30 Mar 2017 20:02:20 GMT https://live.paloaltonetworks.com/t5/general-topics/limting-globalprotect-client-access-via-ip-address/m-p/150467#M49958 ansharma 2017-03-30T20:02:20Z https://live.paloaltonetworks.com/t5/general-topics/limting-globalprotect-client-access-via-ip-address/m-p/158559#M51882 <P>As <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/43480">@BPry</a>&nbsp;and also <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/51040">@ansharma</a>&nbsp;there's no clean way to it.</P><P>&nbsp;</P><P>But in addition to the solition of <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/43480">@BPry</a>, there is may be another (really) unconventional way: Captive Portal. You could allow access to the global Protect Gateway only for your specific user, which will be presented the captive portal login form when he tries to connect with a browser. It also depends on the fact if you have the portal on the same device or on another (it would also work on different devices with user-id-redistribution) because this is probably the only valid website where you can put the captive portal in front of (as I assume you only want to limit the GP access and not access to other ressources which are may be in your DMZ)</P> Sun, 28 May 2017 11:59:17 GMT https://live.paloaltonetworks.com/t5/general-topics/limting-globalprotect-client-access-via-ip-address/m-p/158559#M51882 Remo 2017-05-28T11:59:17Z