Geolocation ip address blocking | Different access for different user groups

Reply
L1 Bithead

Geolocation ip address blocking | Different access for different user groups

Hallo,

 

I am new in PA matter, coming from Fortinet / Cisco (regarding to Firewall / UTM matter)  and like to know if it is possible to have different geo location ip blocking restrictions / rules for the same service. 

 

e.g. Access with Global Protect VPN 

- Usergroup A: Only access with GP from Germany

- Usergroup B: Access with GP from whole Europe

 

Thanks all for reading and thinking about it

 

Best regards,

Markus

L7 Applicator

Re: Geolocation ip address blocking | Different access for different user groups

@MarkusMix  if you take a look at this link then yes it should be doable from V8.

 

i did have a play but was adding my own regions, seemed  pointless in the end as all our UK wifi is natted to the same IP...

 

anyhows... take a look here...

 

https://docs.paloaltonetworks.com/pan-os/8-0/pan-os-new-features/globalprotect-features/external-gat...

L1 Bithead

Re: Geolocation ip address blocking | Different access for different user groups

@MickBall  I´ll test that but this is only for gp.

I guess for special web addresses, which we do host in DMZ, this is not possible, right?

 

 

 

L7 Applicator

Re: Geolocation ip address blocking | Different access for different user groups

for a web hosted in your DMZ, yes this is possible without GP.

 

create a security policy and add the region to the source address. you can also mix this with user groups, zones, applications etc...

Highlighted
L1 Bithead

Re: Geolocation ip address blocking | Different access for different user groups

User-ID on outside interface?

L6 Presenter

Re: Geolocation ip address blocking | Different access for different user groups


@MarkusMix wrote:

User-ID on outside interface?


 

Is a very risky and dangerous idea.  There have been vulnerabilties in the past about exploiting the user-id process (I think in ver 6 code) and the main factor was an admin had to enable user ID process on an externally facing zone.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!