topic Re: VPN Access in General Topics

VPN Access

jdprovine — Fri, 21 Apr 2017 18:01:52 GMT

How do you configure the globalprotect VPN's so they won't route on the internal network but will only let users access it from outside the internal network

Re: VPN Access

OtakarKlier — Fri, 21 Apr 2017 18:49:04 GMT

Hello,

Are you referring to preventing internal users from connecting to the external GP gateway so they cannot VPN while on the internal network?

Please advise,

Re: VPN Access

BPry — Fri, 21 Apr 2017 18:53:58 GMT

@jdprovine,

Can you fill us in on how your setup looks currently so that we can actually give you the proper recommendation. Depending on how this was configured there are quite a few ways to actually accomplish this.

Re: VPN Access

jdprovine — Fri, 21 Apr 2017 19:23:42 GMT

Its set up with a gateway aand a protal using a loopback interface,tunnel, AD-LDAP authentication and we connect using the global protect client.

Re: VPN Access

BPry — Fri, 21 Apr 2017 20:58:11 GMT

So your internal users are connecting to the public facing IP of your gateway correct? If that is the case then you could just build a security policy to deny the internal zone to your public IP for example set rulebase security rules "Deny Internal Users to GP" from trust source 10.191.0.0/16 to untrust destination 174.175.176.178 action deny log-start no log-end yes

Better yet if you have it in it's own zone then simply deny the internal users from your GP zone. As long as you allow traffic from your GP zone to your trust zone then you'll be good to go.

Re: VPN Access

jdprovine — Fri, 21 Apr 2017 21:02:07 GMT

Correct on your description and I will check it out