topic Re: Global Protect User Mapping in General Topics

Global Protect User Mapping

rjdahav163 — Fri, 08 May 2020 06:18:00 GMT

Hi Folks,

We have following scenario and unsure how to do it. Please let me know your thoughts:

We have VM Palo Alto and we are implementing Global Protect.

The Global Protect Portal and Gateway would be one and the same VM.

We are planning to only have only one VPN link/URL which will be given to our customers.

Now, we are planning to create all the users who will access Global Protect VPN to be created as users in PA Local User Database.

Now,

Customer A has employees a1,a2,a3.. who will access VPN

Customer B has employees b1,b2,...

Customer C has employees c1,c2,c3...

and so on as need grows.

Now,

Customer A employees can access only 10.1.1.0/24 from our internal network

Customer B employees can access only 10.1.2.0/24 from our internal network

Customer C employees can access only 10.1.3.0/24 from our internal network

How can this be done?

1. Do I need different IP pools per customer?

2. Can users be assigned static IP addresses when they connect to VPN? i.e. each time same address?

3. How can I bind users to customers? Or I dont need to do this?

I think I can do this somewhere in Gateway Config under client settings probably. But need your guidance here.

Any pointers appreciated.

Thanks!

Re: Global Protect User Mapping

andeporter — Fri, 08 May 2020 20:48:11 GMT

Rjdahav,

It seems like you have a pretty good handle on how to accomplish this.

You've already established that each set of customers will need their own IP address/range pool based on the fact that they all need to have restrictions to separate, internal ranges.

Customer A - Global protect pool of something like 172.16.1.0/24 to 10.1.1.0/24 from our internal network

Customer B - Global protect pool of something like 172.16.2.0/24 to 10.1.2.0/24 from our internal network

Customer C - Global protect pool of something like 172.16.3.0/24 to 10.1.3.0/24 from our internal network

The control can then be established via the routing setup for each group.

Can a user get the same IP address via Global Protect each time? Yes, but why would you want/need this?

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClIMCA0

I'm not sure what you mean by "bind users to customers". Can you give me a little more background here?

HTH.

Thx,

Ap.

Re: Global Protect User Mapping

rjdahav163 — Sun, 10 May 2020 23:58:42 GMT

Hi @andeporter

Thanks for your reply.

I can understand, "bind users to customer" is a bit confusing.

I wanted to ask, how will the PA identify that when person a1 logs in, a1 should be given an IP reserved for customer A (172.16.1.0/24 from your reply)? How would PA know which person belongs to which customer since they will all have same URL to connect to.

I will also start simulating this more in our lab scenario and probably it will be more clear to me.

Thanks!

Re: Global Protect User Mapping

andeporter — Mon, 11 May 2020 22:15:45 GMT

I think I understand your question a little better now.

So there are a number of different ways to do that. I would start by looking at your options in the Config Selection Criteria section of your GlobalProtect Portal Configuration:

Network Tab >> GlobalProtect >> Portals >> Click the portal >> Agent tab on the left >> GP Client Config settings >> Config Selection Criteria >> Device Checks or Custom Checks

From there you can assign different portals/profiles.

HTH

Thx,

Ap.

Re: Global Protect User Mapping

Mick_Ball — Tue, 12 May 2020 08:39:41 GMT

perhaps i have not understood your question but why not do this via a policy. source users a1,a2,a3 destination 10.1.1.0/24 allow source users b1,b2,b3 destination 10.1.2.0/24 allow source users c1,c2,c3 destination 10.1.3.0/24 allow and just have one ip pool for all users...