GlobalProtect access policies

Reply
L1 Bithead

GlobalProtect access policies

If I want different GlobalProtect VPN users to have access to different resources, do I need to create separate Gateways and have the GP license?

Highlighted
L6 Presenter

Re: GlobalProtect access policies

Hi Jeff,

If you need different users to access different resources then please create different separate gateways and this doesn't require a GP license.

Thanks,

Sandeep T

Highlighted
L1 Bithead

Re: GlobalProtect access policies

Okay, thanks.  So when I create a separate Gateway, should I be able to select the same interface and IP address for it?  I haven't been able to do that.  It's not an available choice.  I select the same interface but am not able to use the same IP address.  Basically I want the same configuration but with a smaller group of host to which the traffic will tunnel for different groups of users.  Is there any documentation that shows this kind of  configuration?  Thanks.

Highlighted
L6 Presenter

Re: GlobalProtect access policies

This is expected. You cannot have two gateways with same IP address,you need two IP's. In your case I cannot think of anything which you can give different access to different hosts with one gateway. You can do this with two gateways but you are hitting the IP address problem with this option. 

Highlighted
L1 Bithead

Re: GlobalProtect access policies

Okay, just so I'm clear about this.  I have one PAN firewall using one Untrust interface with an IP address.  The GlobalProtect VPN gateway configuration I have allows users to access an A.B.C.D/16 network on the Trust side of the firewall. 

But you're saying that there's no way to have another set of users use the GlobalProtect VPN to access a more limited set of hosts within that network, say A.B.C.D/24 or A.B.C.D/32.  Do I have that right?  Thanks again.

Highlighted
L6 Presenter

Re: GlobalProtect access policies

I missed a whole point of the users !!my bad. You can do it with source users.

Create a Global protect gateway allow a A.B.C.D/16 network for all users.

Now create security policies based on users and in security policies you can allow certain users to reach certain hosts.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!