https://live.paloaltonetworks.com/t5/general-topics/restrict-vpn-users-to-certain-applications/m-p/217233#M62856 <P>User ID and AD Groups is how we do it.&nbsp;</P><P>The rule look like this take for example SSL only</P><P>&nbsp;</P><P>NAME, SRC Zone=GlobalProtect, Source Address=IP Range of the GP Clients, Src User: DOMAIN\Group name, DestZone= Internal, Dest Address = Group things they need to access, Application=SSL, Service = Port if necessary.&nbsp; ALLOW</P><P>&nbsp;</P><P>&nbsp;</P> Fri, 08 Jun 2018 19:38:49 GMT Retired Member 2018-06-08T19:38:49Z https://live.paloaltonetworks.com/t5/general-topics/restrict-vpn-users-to-certain-applications/m-p/217208#M62852 <P>Is there a way to restrict some VPN users to only be able to access some applications (ports / servers)?</P><P>&nbsp;</P><P>&nbsp;</P> Fri, 08 Jun 2018 17:21:21 GMT https://live.paloaltonetworks.com/t5/general-topics/restrict-vpn-users-to-certain-applications/m-p/217208#M62852 jcalvert 2018-06-08T17:21:21Z https://live.paloaltonetworks.com/t5/general-topics/restrict-vpn-users-to-certain-applications/m-p/217232#M62855 <P>Absolutely.</P><P>Palo is using positive enforcement&nbsp; model - everything that is not permitted is blocked by default.</P><P>Are your VPN using landing in dedicated VPN zone?</P><P>Best practice would be to permit based on users/groups what they need.</P><P>If you allow any then you have to block things that you don't want those specific users to access.</P> Fri, 08 Jun 2018 19:20:32 GMT https://live.paloaltonetworks.com/t5/general-topics/restrict-vpn-users-to-certain-applications/m-p/217232#M62855 Raido_Rattameister 2018-06-08T19:20:32Z https://live.paloaltonetworks.com/t5/general-topics/restrict-vpn-users-to-certain-applications/m-p/217233#M62856 <P>User ID and AD Groups is how we do it.&nbsp;</P><P>The rule look like this take for example SSL only</P><P>&nbsp;</P><P>NAME, SRC Zone=GlobalProtect, Source Address=IP Range of the GP Clients, Src User: DOMAIN\Group name, DestZone= Internal, Dest Address = Group things they need to access, Application=SSL, Service = Port if necessary.&nbsp; ALLOW</P><P>&nbsp;</P><P>&nbsp;</P> Fri, 08 Jun 2018 19:38:49 GMT https://live.paloaltonetworks.com/t5/general-topics/restrict-vpn-users-to-certain-applications/m-p/217233#M62856 Retired Member 2018-06-08T19:38:49Z https://live.paloaltonetworks.com/t5/general-topics/restrict-vpn-users-to-certain-applications/m-p/217254#M62860 <P>This is very helpful.&nbsp; We haven't implemented UserID yet, any way to do this with local users?</P><P>&nbsp;</P> Fri, 08 Jun 2018 21:18:48 GMT https://live.paloaltonetworks.com/t5/general-topics/restrict-vpn-users-to-certain-applications/m-p/217254#M62860 jcalvert 2018-06-08T21:18:48Z https://live.paloaltonetworks.com/t5/general-topics/restrict-vpn-users-to-certain-applications/m-p/217255#M62861 <P>I assume that by VPN you mean GlobalProtect.</P><P>Sure you can use local users. GlobalProtect will identify users and you can see them in Monitor &gt; Traffic under Source User Tab.</P> Fri, 08 Jun 2018 21:49:53 GMT https://live.paloaltonetworks.com/t5/general-topics/restrict-vpn-users-to-certain-applications/m-p/217255#M62861 Raido_Rattameister 2018-06-08T21:49:53Z