https://live.paloaltonetworks.com/t5/general-topics/restricting-specific-ad-groups-to-only-specific-ip-addresses-on/m-p/298291#M78179 <P>If you have the groups selected in group mapping "Group Include List" then simply add this group to the source user section of a policy.</P><P>&nbsp;</P><P>I may have assumed too much here but if so then just let us know and we can go back a step or 2.</P><P>&nbsp;</P><P>&nbsp;</P> Wed, 13 Nov 2019 16:15:30 GMT Mick_Ball 2019-11-13T16:15:30Z https://live.paloaltonetworks.com/t5/general-topics/restricting-specific-ad-groups-to-only-specific-ip-addresses-on/m-p/298276#M78177 <P>So I'm going to preface this with the fact that I am not a network admin.&nbsp; Ours quit, so I was basically thrown this stuff.&nbsp; I have only ever done webfiltering on the palo alto.</P><P>I got global protect vpn setup using the help of a system engineer.&nbsp; We do the LDAP stuff for webfiltering and for vpn access.&nbsp; Users have to be a member of a specific group to be able to connect.&nbsp; That all works fine.</P><P>Problem is now they want me to set it up so that specific groups (other then just standard vpn users) are able to connect, but can only access certain things, mainly specific ip addresses.</P><P>How do I do that?&nbsp; Sorry for the vagueness.&nbsp; I've been thrown to the wolves and don't really know what I'm doing.</P> Wed, 13 Nov 2019 15:53:57 GMT https://live.paloaltonetworks.com/t5/general-topics/restricting-specific-ad-groups-to-only-specific-ip-addresses-on/m-p/298276#M78177 GregoryClark 2019-11-13T15:53:57Z https://live.paloaltonetworks.com/t5/general-topics/restricting-specific-ad-groups-to-only-specific-ip-addresses-on/m-p/298291#M78179 <P>If you have the groups selected in group mapping "Group Include List" then simply add this group to the source user section of a policy.</P><P>&nbsp;</P><P>I may have assumed too much here but if so then just let us know and we can go back a step or 2.</P><P>&nbsp;</P><P>&nbsp;</P> Wed, 13 Nov 2019 16:15:30 GMT https://live.paloaltonetworks.com/t5/general-topics/restricting-specific-ad-groups-to-only-specific-ip-addresses-on/m-p/298291#M78179 Mick_Ball 2019-11-13T16:15:30Z https://live.paloaltonetworks.com/t5/general-topics/restricting-specific-ad-groups-to-only-specific-ip-addresses-on/m-p/298292#M78180 <P>or 5, or 7.</P> Wed, 13 Nov 2019 16:16:29 GMT https://live.paloaltonetworks.com/t5/general-topics/restricting-specific-ad-groups-to-only-specific-ip-addresses-on/m-p/298292#M78180 Mick_Ball 2019-11-13T16:16:29Z https://live.paloaltonetworks.com/t5/general-topics/restricting-specific-ad-groups-to-only-specific-ip-addresses-on/m-p/298301#M78183 <P>&nbsp;</P><P>If your ok with groups then you could do the following</P><P>&nbsp;</P><P>User Groups.....</P><P>GP user group.&nbsp; &nbsp;this group has all GP users in it. (you already use this for GP for connection)</P><P>GP server group. this group contains all users allowed to access servers.</P><P>GP FTP group. this group allows users to access ftp.</P><P>&nbsp;</P><P>then create address objects for server IP's&nbsp; &nbsp;and FTP IP's.</P><P>&nbsp;</P><P>so GP portal will allow GP user group to connect.</P><P>&nbsp;</P><P>Policy 1. allow GP server group access to server IP's</P><P>Policy 2 allow GP FTP group access to FTP IP's</P><P>Policy 3 allow GP user group access to all common factors, DNS, Internet etc...</P><P>&nbsp;</P> Wed, 13 Nov 2019 16:41:58 GMT https://live.paloaltonetworks.com/t5/general-topics/restricting-specific-ad-groups-to-only-specific-ip-addresses-on/m-p/298301#M78183 Mick_Ball 2019-11-13T16:41:58Z https://live.paloaltonetworks.com/t5/general-topics/restricting-specific-ad-groups-to-only-specific-ip-addresses-on/m-p/298385#M78200 <P>Hello,</P><P>Let us know how we can help! Here is a link to the admin guide for using user-id.</P><P><A href="https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-web-interface-help/user-identification/device-user-identification-group-mapping-settings.html" target="_blank">https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-web-interface-help/user-identification/device-user-identification-group-mapping-settings.html</A></P><P>&nbsp;</P><P>A lot of us use it extensively and can certainly help you out. The hardest thing is to remember the order of your policies so that it takes affect without getting denied.</P><P>&nbsp;</P><P>Super high level steps:</P><P>Create your AD group in AD</P><P>Add AD group to PAN</P><P>Create policy that uses the AD group and specify destination such as Mick pointed out.</P><P>&nbsp;</P><P>Regards,</P> Wed, 13 Nov 2019 23:19:19 GMT https://live.paloaltonetworks.com/t5/general-topics/restricting-specific-ad-groups-to-only-specific-ip-addresses-on/m-p/298385#M78200 OtakarKlier 2019-11-13T23:19:19Z