Restricting VPN access to internal services on per-user basis

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Restricting VPN access to internal services on per-user basis

L4 Transporter

Folks.

 

I have a normal Global protect portal for internal staff which works fine.

 

I now have been asked to provide access for a support organisation which is not staff - not employed by our company - but which needs access to certain devices inside our network.

 

Does anyone know if there is any way I can restrict what they access via Global Protect? Would a security policy rule on source user work, or is there some other way?

 

Thanks.

 

 

1 accepted solution

Accepted Solutions

Source zone would be the zone which you assigned to tunnel interface for GP users. You can also check logs and see ehich zone is assigned to GP users.

 

 

View solution in original post

7 REPLIES 7

L6 Presenter

You can use GP users or groups in FW policy. 

Cyber Elite
Cyber Elite

The security policy with a specified source user would work perfectly fine, just make sure that you have the source zone setup correctly then setup the rule to only allow access to the machines and the ports that they would need access to. 

L4 Transporter

Hi,

 

In addition to specifying users or groups in your security rules, you could configure different IP address pools for different types of users (if you have PanOS 7.0+). This way, your staff can configure their servers or other equipment to let VPN connections coming from the staff pool, and not from the support organisation address pool.

 

Benjamin


@BPry wrote:

The security policy with a specified source user would work perfectly fine, just make sure that you have the source zone setup correctly then setup the rule to only allow access to the machines and the ports that they would need access to. 


 

hi.

 

OK, so the source zone would be the zone the VPN terminates on (outside zone), or the one it spits out into?

 

I'm figuring the former, but I could be shooting in the dark.

 

thanks


@baudy wrote:

Hi,

 

In addition to specifying users or groups in your security rules, you could configure different IP address pools for different types of users (if you have PanOS 7.0+). This way, your staff can configure their servers or other equipment to let VPN connections coming from the staff pool, and not from the support organisation address pool.

 

Benjamin


 

hi.

 

Haven't upgraded to PanOS 7 yet, so this one's not going to work.

 

Thanks for suggesting, though.

Source zone would be the zone which you assigned to tunnel interface for GP users. You can also check logs and see ehich zone is assigned to GP users.

 

 


@santonic wrote:

Source zone would be the zone which you assigned to tunnel interface for GP users. You can also check logs and see ehich zone is assigned to GP users.

 

 


Thanks - looks like I'm out of luck - because the source zone and destination zone are the same. I might have to fiddle with moving the server into a different zone maybe.

 

No, scratch that - I'm an idiot.

 

I put in a rule to allow traffic to the given server - but forgot to put in one to deny everything else!

  • 1 accepted solution
  • 6032 Views
  • 7 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!