https://live.paloaltonetworks.com/t5/general-topics/setting-restricted-access-to-certain-globalprotect-users/m-p/13255#M9714 <HTML><HEAD></HEAD><BODY><P>All,</P><P></P><P>I am a PA beginner so bare with me. I am trying to restrict access to only a few servers to several of our GlobalProtect VPN users. I could set these users into groups but how would I restrict access for each group? We have a PA-500 with 5.0.6 OS version. Let me know if any other info is needed.</P><P></P><P>Any help would be appreciated!</P><P></P><P>Thanks,</P><P></P><P>Troy</P></BODY></HTML> Mon, 16 Dec 2013 21:08:29 GMT TroyFlex 2013-12-16T21:08:29Z https://live.paloaltonetworks.com/t5/general-topics/setting-restricted-access-to-certain-globalprotect-users/m-p/13255#M9714 <HTML><HEAD></HEAD><BODY><P>All,</P><P></P><P>I am a PA beginner so bare with me. I am trying to restrict access to only a few servers to several of our GlobalProtect VPN users. I could set these users into groups but how would I restrict access for each group? We have a PA-500 with 5.0.6 OS version. Let me know if any other info is needed.</P><P></P><P>Any help would be appreciated!</P><P></P><P>Thanks,</P><P></P><P>Troy</P></BODY></HTML> Mon, 16 Dec 2013 21:08:29 GMT https://live.paloaltonetworks.com/t5/general-topics/setting-restricted-access-to-certain-globalprotect-users/m-p/13255#M9714 TroyFlex 2013-12-16T21:08:29Z https://live.paloaltonetworks.com/t5/general-topics/setting-restricted-access-to-certain-globalprotect-users/m-p/13256#M9715 <HTML><HEAD></HEAD><BODY><P>Troy,</P><P></P><P>You would need to have separate gateways configured for the different groups in the GP Portal configuration, and then in the Gateway configuration, you would restrict access to the particular users of a group using the access routes.</P><P></P><P>Whatever networks you configure in the Access Route section of the Client Configuration (Gateway) are the only resources that the users in the particular group have access to.</P><P>This would be a split tunnel for your users where traffic to these configured networks/servers would route through the VPN tunnel, and the rest of their regular internet traffic would go out through their traditional default gateway.</P><P></P><P>Regards,</P><P>tasonibare</P></BODY></HTML> Mon, 16 Dec 2013 21:31:24 GMT https://live.paloaltonetworks.com/t5/general-topics/setting-restricted-access-to-certain-globalprotect-users/m-p/13256#M9715 tasonibare 2013-12-16T21:31:24Z https://live.paloaltonetworks.com/t5/general-topics/setting-restricted-access-to-certain-globalprotect-users/m-p/13257#M9716 <HTML><HEAD></HEAD><BODY><P>Hello <A href="https://live.paloaltonetworks.com/u1/25617">troyflex</A>,</P><P></P><P>The question is to find best way to restrict or control access to the users who are connecting through GP to internal resources.</P><P></P><P>1&gt; So some users(User-set A ) should have access to only few servers and other set of users( User-set B) should have access to all. GP tunnel should be ending in a VPN zone. If GP is configured directly into Trust zone we cannot use the flexibility of security rules.</P><P>In the security rules add the rule1 -&gt; to have just the User-set A to access to the few servers. Users can be made as a local group, or just add those user IPs in the security rule. Make a rule2 -&gt; For User-set B where they have access to all. By doing so we are providing specific access to each group. Remember always have specific rule in the top and more generic rule at the bottom while designing security rules.</P><P>2&gt; If we have Ldap groups configured on the PAN then we can create security rules with just for selected users to access servers by giving the User-id in the rules.</P><P></P><P>Hope this is clear !</P></BODY></HTML> Tue, 17 Dec 2013 00:06:17 GMT https://live.paloaltonetworks.com/t5/general-topics/setting-restricted-access-to-certain-globalprotect-users/m-p/13257#M9716 Phoenix 2013-12-17T00:06:17Z https://live.paloaltonetworks.com/t5/general-topics/setting-restricted-access-to-certain-globalprotect-users/m-p/13258#M9717 <HTML><HEAD></HEAD><BODY><P>Thanks for the replies! Phoenix, it looks like GP is part of our Trust Zone. So what I would have to do is remove GP from the Trust Zone and create a zone just for the GP VPN and then I would be able to apply access rules to the user groups? Let me know if I have that right.</P><P></P><P>Tasonibare, we might not have enough gateways for all the different groups we are going to have. To be clear, when I configure another gateway, I need to have another external IP address to set as that gateway? Let me knowif I am correct in assuming this.</P><P></P><P>Thanks for the help, guys.</P><P></P><P>Troy</P></BODY></HTML> Tue, 17 Dec 2013 20:59:55 GMT https://live.paloaltonetworks.com/t5/general-topics/setting-restricted-access-to-certain-globalprotect-users/m-p/13258#M9717 TroyFlex 2013-12-17T20:59:55Z https://live.paloaltonetworks.com/t5/general-topics/setting-restricted-access-to-certain-globalprotect-users/m-p/13259#M9718 <HTML><HEAD></HEAD><BODY><P>Hello Troyflex,</P><P></P><P>You are right, that is exact !</P></BODY></HTML> Tue, 17 Dec 2013 21:28:10 GMT https://live.paloaltonetworks.com/t5/general-topics/setting-restricted-access-to-certain-globalprotect-users/m-p/13259#M9718 Phoenix 2013-12-17T21:28:10Z