This document describes how to configure reserved IPs for GlobalProtect.
Symptom
Currently, there is no way to create a reservation for an IP address for the GlobalProtect users that connects to the gateway.
Workaround
See the following workarounds to resolve the symptom:
Use the registry to give preferred IP address to the client
From the WebGUI, Go to Network > GlobalProtect > Gateways and edit the appropriate Gateway.
Go to Agent > Client Settings > and edit the appropriate Client Config.
Go to the IP Pools tab.
The GlobalProtect user will be offered the first IP address that is defined in the pool of IP addresses. For the following scenario, "10.200.200.101" IP address is being used:
From the CLI: Use the following command to determine if the user got the address as expected:
> show global-protect-gateway current-user
GlobalProtect Gateway: GP-GW-2 (1 users)
Tunnel Name : GP-GW-2-N
Domain-User Name : al\emea
Computer : ILIJA_WIN7_DMZ
Client : Microsoft Windows 7 Enterprise Edition Service Pack 1, 32-bit
Mobile ID :
Private IP : 10.200.200.101
Public IP : 10.193.83.98
ESP : exist
SSL : none
Login Time : Dec.31 14:57:36
Logout/Expiration : Jan.30 14:57:36
TTL : 2591981
Inactivity TTL : 10796
The next time the client needs to connect it will notify the gateway, they have a preferred IP address, if that address is free they can use it again.
If the IP pool is large enough so the preferred IP is always available, the user should theoretically get the same IP. This setting can be configured by editing the registry on the client's machine, as shown below: Under HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\GlobalProtect\PanGPS\PreferredIP add the desired IP: Modify the preferred IP address to a high end IP (in this case 10.200.200.150): In this case, the pool is 50 IP addresses and are not expecting more than 50 users to connect concurrently. The last IP will always be free on the gateway and can be used by the client.
The user connects and should see the following:
> show global-protect-gateway current-user
GlobalProtect Gateway: GP-GW-2 (1 users)
Tunnel Name : GP-GW-2-N
Domain-User Name : al\emea
Computer : ILIJA_WIN7_DMZ
Client : Microsoft Windows 7 Enterprise Edition Service Pack 1, 32-bit
Mobile ID :
Private IP : 10.200.200.150
Public IP : 10.193.83.98
ESP : exist
SSL : none
Login Time : Dec.31 15:00:15
Logout/Expiration : Jan.30 15:00:15
TTL : 2591981
Inactivity TTL : 10798
Create an extra Gateway for that particular user by defining the source user in the GlobalProtect configuration, assign a pool to the gateway. The user will get the first IP address from the pool, as no one else would be sharing that pool.
Note: The smallest pool that can be defined is /30, it is not possible to add a subnet with a /32 mask. This capability exists for the more common use case of defining specific user groups that might get different configurations and networks settings, so it does not scale to doing this for dozens of individual IPs, but for one user it should work fine.
If in above example, the user is getting different IP addresses from the pool, define a static source NAT between the SSLVPN zone and Trust Zone, so that traffic from the VPN user should be seen from a single IP address on the Trust Side
Note: These workarounds are for limited use, for proper functionality a feature request must be submitted.