I am new in PA matter, coming from Fortinet / Cisco (regarding to Firewall / UTM matter) and like to know if it is possible to have different geo location ip blocking restrictions / rules for the same service.
e.g. Access with Global Protect VPN
- Usergroup A: Only access with GP from Germany
- Usergroup B: Access with GP from whole Europe
Thanks all for reading and thinking about it
@MarkusMix if you take a look at this link then yes it should be doable from V8.
i did have a play but was adding my own regions, seemed pointless in the end as all our UK wifi is natted to the same IP...
anyhows... take a look here...
@MickBall I´ll test that but this is only for gp.
I guess for special web addresses, which we do host in DMZ, this is not possible, right?
for a web hosted in your DMZ, yes this is possible without GP.
create a security policy and add the region to the source address. you can also mix this with user groups, zones, applications etc...
User-ID on outside interface?
Is a very risky and dangerous idea. There have been vulnerabilties in the past about exploiting the user-id process (I think in ver 6 code) and the main factor was an admin had to enable user ID process on an externally facing zone.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!