Restricting VPN access to internal services on per-user basis

Reply
Highlighted
L4 Transporter

Restricting VPN access to internal services on per-user basis

Folks.

 

I have a normal Global protect portal for internal staff which works fine.

 

I now have been asked to provide access for a support organisation which is not staff - not employed by our company - but which needs access to certain devices inside our network.

 

Does anyone know if there is any way I can restrict what they access via Global Protect? Would a security policy rule on source user work, or is there some other way?

 

Thanks.

 

 

L5 Sessionator

Re: Restricting VPN access to internal services on per-user basis

You can use GP users or groups in FW policy. 

L7 Applicator

Re: Restricting VPN access to internal services on per-user basis

The security policy with a specified source user would work perfectly fine, just make sure that you have the source zone setup correctly then setup the rule to only allow access to the machines and the ports that they would need access to. 

L4 Transporter

Re: Restricting VPN access to internal services on per-user basis

Hi,

 

In addition to specifying users or groups in your security rules, you could configure different IP address pools for different types of users (if you have PanOS 7.0+). This way, your staff can configure their servers or other equipment to let VPN connections coming from the staff pool, and not from the support organisation address pool.

 

Benjamin

L4 Transporter

Re: Restricting VPN access to internal services on per-user basis


@BPry wrote:

The security policy with a specified source user would work perfectly fine, just make sure that you have the source zone setup correctly then setup the rule to only allow access to the machines and the ports that they would need access to. 


 

hi.

 

OK, so the source zone would be the zone the VPN terminates on (outside zone), or the one it spits out into?

 

I'm figuring the former, but I could be shooting in the dark.

 

thanks

L4 Transporter

Re: Restricting VPN access to internal services on per-user basis


@baudy wrote:

Hi,

 

In addition to specifying users or groups in your security rules, you could configure different IP address pools for different types of users (if you have PanOS 7.0+). This way, your staff can configure their servers or other equipment to let VPN connections coming from the staff pool, and not from the support organisation address pool.

 

Benjamin


 

hi.

 

Haven't upgraded to PanOS 7 yet, so this one's not going to work.

 

Thanks for suggesting, though.

L5 Sessionator

Re: Restricting VPN access to internal services on per-user basis

Source zone would be the zone which you assigned to tunnel interface for GP users. You can also check logs and see ehich zone is assigned to GP users.

 

 

L4 Transporter

Re: Restricting VPN access to internal services on per-user basis


@santonic wrote:

Source zone would be the zone which you assigned to tunnel interface for GP users. You can also check logs and see ehich zone is assigned to GP users.

 

 


Thanks - looks like I'm out of luck - because the source zone and destination zone are the same. I might have to fiddle with moving the server into a different zone maybe.

 

No, scratch that - I'm an idiot.

 

I put in a rule to allow traffic to the given server - but forgot to put in one to deny everything else!

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!