One GP portal, forward select users to alternate firewall zone?

L0 Member

One GP portal, forward select users to alternate firewall zone?

Hi all,


We currently have a single GlobalProtect gateway, single portal VPN configuration which happens to work really well (currently running on a single PA-3020). This gateway/portal combination first authenticates against LDAP (employees) and then against the local user database.


What I'd like to do, however, is add support for vendors and contractors who need limited/temporary access to select resources on our network by way of our VPN. I have a local (local to the firewall) user group full of such accounts. What I'd like to know is if there is a way to redirect users from this aforementioned vendors group that have logged into the same GP portal and gateway into another zone that is highly restricted and let employees have less restricted access.


My thinking may be off, but what I did is created an arbitrary VLAN and then added it to a highly restricted "vendor-vpn" zone. The VLAN interface is connected to a virtual router that can route traffic to the intranet (naturally if security policy allows). My main question is, is there an easy way to route such users from the GP gateway to the vendor vlan? My thought was to use a PBF policy rule, but I'm not experienced with them, and they're for egress traffic leaving the firewall.


Basically the idea is to segment/isolate such users from the employees immediately after login and drop them into a highly restrictive area that they can't get out of unless I explicitly allow via security policy rules.


Is it doable? Considering I only have one public IP to operate any VPN service on, is there a better way?

L7 Applicator

Re: One GP portal, forward select users to alternate firewall zone?


You wouldn't really need to do anything that complicated if you don't want to. You could simply modify the Agent Client Settings options in the Gateway configuration. This would allow you to make it so that certain users were granted a seperate IP Pool and Access Routes. 

Depending on how granular you would be looking to get you could make it so that user 'bpry' was given an IP of and was only given an Access Route of You could then build the appropriate security policies and ensure that the vendor only ever had access to whatever they needed. 


Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!