If I want different GlobalProtect VPN users to have access to different resources, do I need to create separate Gateways and have the GP license?
If you need different users to access different resources then please create different separate gateways and this doesn't require a GP license.
Okay, thanks. So when I create a separate Gateway, should I be able to select the same interface and IP address for it? I haven't been able to do that. It's not an available choice. I select the same interface but am not able to use the same IP address. Basically I want the same configuration but with a smaller group of host to which the traffic will tunnel for different groups of users. Is there any documentation that shows this kind of configuration? Thanks.
This is expected. You cannot have two gateways with same IP address,you need two IP's. In your case I cannot think of anything which you can give different access to different hosts with one gateway. You can do this with two gateways but you are hitting the IP address problem with this option.
Okay, just so I'm clear about this. I have one PAN firewall using one Untrust interface with an IP address. The GlobalProtect VPN gateway configuration I have allows users to access an A.B.C.D/16 network on the Trust side of the firewall.
But you're saying that there's no way to have another set of users use the GlobalProtect VPN to access a more limited set of hosts within that network, say A.B.C.D/24 or A.B.C.D/32. Do I have that right? Thanks again.
I missed a whole point of the users !!my bad. You can do it with source users.
Create a Global protect gateway allow a A.B.C.D/16 network for all users.
Now create security policies based on users and in security policies you can allow certain users to reach certain hosts.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!