topic Re: How to control global protect resources access by username in General Topics

How to control global protect resources access by username

myasin — Sun, 06 Aug 2017 11:28:46 GMT

I want to control access to resources "for users connecting through global protect" by username level.

How to do this?

And which is better assign the tunnel interface to a new zone or to the trust-zone?

Thanks

Re: How to control global protect resources access by username

TranceforLife — Sun, 06 Aug 2017 11:57:37 GMT

I think the best way to have a new zone for teh GP tunnel interface and for the user access control you need user-id enabled with AD integration.

Agentless (buildin):

https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-Agentless-User-ID/ta-p/62122

Agent software installation:

https://www.youtube.com/watch?v=pqNCSNJicKU

Re: How to control global protect resources access by username

Remo — Sun, 06 Aug 2017 16:02:45 GMT

Hi @myasin

There is no 'right' configuration in your situation. It depends on some more details:

Is the c2s vpn for internal or external employees?
Will the users use their private computers or corpotate ones?
If company computers will be used: are these devices completely under your or your companys control (updates, antivirus, group policies - if AD integrated, ...)?
How much do you trust these devices which connect by vpn?
Do you have internet access for internal clients on the same firewall?
What do you use for vpn login: AD users or local firewallusers or may be users stored on a radius server?
Do you intend to use full or split tunneling?

In most cases it is the best way to use a separate zone for the tunnel interface...

User-ID also works with local firewallusers. You can simply enter the usernames into the security policy to restrict access to specific users and/or groups. But if you use AD users there are some more steps needed to get there (-->links posted by @TranceforLife).

Regards,

Remo

Re: How to control global protect resources access by username

myasin — Mon, 07 Aug 2017 07:54:18 GMT

-------------------------------------------------------

Is the c2s vpn for internal or external employees? (for external employees connecting from home)
Will the users use their private computers or corpotate ones? (both)
If company computers will be used: are these devices completely under your or your companys control (updates, antivirus, group policies - if AD integrated, ...)? (corporate devices under full control)
How much do you trust these devices which connect by vpn?
Do you have internet access for internal clients on the same firewall? (yes same firewall)
What do you use for vpn login: AD users or local firewallusers or may be users stored on a radius server? (both)
Do you intend to use full or split tunneling? (split)

----------------------------------------------------------

So if I want to use the local user database, then all what I need is to enable user identification under the zone assigned for the tunnel interface, and then reference the users in the policies from untrust to the new zone, right?

But what will be the case for the AD users scenario?

And can I use both local and AD users simultanously for the VPN authentication?

Thanks

Re: How to control global protect resources access by username

myasin — Mon, 07 Aug 2017 08:01:03 GMT

-------------------------------------------------------

Is the c2s vpn for internal or external employees? (for external employees connecting from home)
Will the users use their private computers or corpotate ones? (both)
If company computers will be used: are these devices completely under your or your companys control (updates, antivirus, group policies - if AD integrated, ...)? (corporate devices under full control)
How much do you trust these devices which connect by vpn?
Do you have internet access for internal clients on the same firewall? (yes same firewall)
What do you use for vpn login: AD users or local firewallusers or may be users stored on a radius server? (both)
Do you intend to use full or split tunneling? (split)

----------------------------------------------------------

But what will be the case for the AD users scenario?

And can I use both local and AD users simultanously for the VPN authentication?

Thanks

Re: How to control global protect resources access by username

Mick_Ball — Mon, 07 Aug 2017 08:36:12 GMT

can i just ask,,, What form of authentication are they using,,,

Re: How to control global protect resources access by username

myasin — Mon, 07 Aug 2017 08:41:34 GMT

Its still under setup.

Will use local and AD auth for global protect connecting users.

Re: How to control global protect resources access by username

Mick_Ball — Mon, 07 Aug 2017 09:03:06 GMT

-----Correct

But what will be the case for the AD users scenario?

-----/Device/user Identification/Group Mapping Settings.

you will need an LDAP profile to connect to AD. In the settings you can select particular groups and then add these (or individual users in the groups) to the policies.

And can I use both local and AD users simultanously for the VPN authentication?

------ I prefer individual Portals/Gateways for different auths but if this is not practicle then you can use.......

/Device/Authentication Sequence.

it will try all auth requests from top to bottom until it finds a match.

Re: How to control global protect resources access by username

myasin — Mon, 07 Aug 2017 09:26:01 GMT

For the authentication sequence, can we authenticate over both local and LDAP simultanously, or will be checked in sequence "like Local Checked only if LDAP wasnt reachable"?

Re: How to control global protect resources access by username

Remo — Mon, 07 Aug 2017 09:51:16 GMT

It will be checked in sequence. And the profiles will be checked in order you configured it until the user is found.

So in your case, local wil also checked if LDAP is available but the user wasn't in your AD

Re: How to control global protect resources access by username

Mick_Ball — Mon, 07 Aug 2017 09:59:14 GMT

I can see that vsys_remo has answered if full but alreay typed my answer so will post.

Yes you can use Authentication Sequence for multiple auths at the same time.

It was introduced to get around the issue of different auth options for the same portal/gateway.

unfortunately it doesn't include certificate auth (happy to be corrected)

if your sequence is as follows

1. LDAP

2. Local

it will try 1.LDAP first. if 1.LDAP returns unreachable, unknown user, bad username or password or anything else that is not accepted it will then try 2.Local.

you will need to create "Authentication Profiles" for all of your authentication options and then add them in your preferred order to "Authentication Sequence".