topic Re: Global Protect pre-logon and user IP Pools in General Topics

Global Protect pre-logon and user IP Pools

markdaniel — Tue, 22 Jun 2021 08:44:02 GMT

I'm wondering if anyone can help. We have global protect setup and i want to use the same IP Pool for pre-logon user's, and once authenticated have that same IP pool used for the user. So when i am setting this up in the client settings area of the Global Protect gateway area, i would like to add a pre-logon profile with a pool, then add the users profile with the same IP Pool. Attached is a screen shot of the configuration area

Re: Global Protect pre-logon and user IP Pools

markdaniel — Wed, 23 Jun 2021 15:01:05 GMT

...

Re: Global Protect pre-logon and user IP Pools

S.Cantwell — Tue, 22 Jun 2021 17:23:01 GMT

Hello there.

I have tried this before, and the OS will not allow it. What I typically do, is take a /24 and break it into a /25.

This way half of your prelogin will get a subnet that is still routable, so when they actually log onto the computer (user login) they are getting a different IP from the 2nd subnet... but from a routing table perspective, you can just add a /24 to your routing table to route the traffic to your FW (default gateway)

Re: Global Protect pre-logon and user IP Pools

Mick_Ball — Tue, 22 Jun 2021 19:25:45 GMT

Hi @markdaniel , sorry to ask as may have misread post but if you require the same pool then why create a separate profile for pre logon users...?

Re: Global Protect pre-logon and user IP Pools

markdaniel — Wed, 23 Jun 2021 07:54:45 GMT

We have multiple user profiles in the client settings for different customers, not all of them use pre-logon. We have one set of customers that use pre-logon so we have a pre-logon profile and an users profile in the client settings. They both have different IP pools. My question is, can we somehow have the ip pools the same for the 2 client profiles or not?

Re: Global Protect pre-logon and user IP Pools

S.Cantwell — Wed, 23 Jun 2021 13:19:12 GMT

The answer is no.

Thank you.

Re: Global Protect pre-logon and user IP Pools

markdaniel — Wed, 23 Jun 2021 14:47:32 GMT

OK thanks, I'm happy to accept, can you point me at any documentation to say that isn't supported? or is it supported in version 10?

Re: Global Protect pre-logon and user IP Pools

S.Cantwell — Wed, 23 Jun 2021 14:58:03 GMT

I can show via 2 screen shots

Here, i just cloned my gateway config, to simulate wanting to have the same subnet used by 2 profiles

When I commit, the validation fails and you cannot commit.

As I mentioned, I have experienced this first hand. My recommendation is that you define (2) /25 subnets, one for prelogin and one for your remaining users.

Re: Global Protect pre-logon and user IP Pools

Mick_Ball — Wed, 23 Jun 2021 15:03:41 GMT

Oh I see.... but what would happen if you did not put IP pools in each of the gateway\client\configs and put one big pool in the gateway\agent\client ip pool? would each user get their own profile (for whatever reason) and all share the same pool...?

Re: Global Protect pre-logon and user IP Pools

Remo — Wed, 23 Jun 2021 23:08:38 GMT

With the proposal of @Mick_Ball it definately is possible to have the same IP pool for different client settings. But as @markdaniel wrote there are also different customers on that same gateway so I don't know if it is ok if all these users from different customers are in the same IP pool. Another possibility would be to add multiple global protect gateways - one for each customer or one for clients without pre logon and one for prelogon users. This way everythings can be separated even better. Portal could still be the same for the diffetent customers.

Re: Global Protect pre-logon and user IP Pools

markdaniel — Thu, 24 Jun 2021 11:06:32 GMT

Thanks for your response but we only have the 1 VM-Series Firewall.

Re: Global Protect pre-logon and user IP Pools

Remo — Thu, 24 Jun 2021 15:11:23 GMT

@markdaniel Even on one firewall you can have more than one global protect gateway configuration.