12-16-2013 01:08 PM
All,
I am a PA beginner so bare with me. I am trying to restrict access to only a few servers to several of our GlobalProtect VPN users. I could set these users into groups but how would I restrict access for each group? We have a PA-500 with 5.0.6 OS version. Let me know if any other info is needed.
Any help would be appreciated!
Thanks,
Troy
12-16-2013 01:31 PM
Troy,
You would need to have separate gateways configured for the different groups in the GP Portal configuration, and then in the Gateway configuration, you would restrict access to the particular users of a group using the access routes.
Whatever networks you configure in the Access Route section of the Client Configuration (Gateway) are the only resources that the users in the particular group have access to.
This would be a split tunnel for your users where traffic to these configured networks/servers would route through the VPN tunnel, and the rest of their regular internet traffic would go out through their traditional default gateway.
Regards,
tasonibare
12-16-2013 04:06 PM
Hello troyflex,
The question is to find best way to restrict or control access to the users who are connecting through GP to internal resources.
1> So some users(User-set A ) should have access to only few servers and other set of users( User-set B) should have access to all. GP tunnel should be ending in a VPN zone. If GP is configured directly into Trust zone we cannot use the flexibility of security rules.
In the security rules add the rule1 -> to have just the User-set A to access to the few servers. Users can be made as a local group, or just add those user IPs in the security rule. Make a rule2 -> For User-set B where they have access to all. By doing so we are providing specific access to each group. Remember always have specific rule in the top and more generic rule at the bottom while designing security rules.
2> If we have Ldap groups configured on the PAN then we can create security rules with just for selected users to access servers by giving the User-id in the rules.
Hope this is clear !
12-17-2013 12:59 PM
Thanks for the replies! Phoenix, it looks like GP is part of our Trust Zone. So what I would have to do is remove GP from the Trust Zone and create a zone just for the GP VPN and then I would be able to apply access rules to the user groups? Let me know if I have that right.
Tasonibare, we might not have enough gateways for all the different groups we are going to have. To be clear, when I configure another gateway, I need to have another external IP address to set as that gateway? Let me knowif I am correct in assuming this.
Thanks for the help, guys.
Troy
12-17-2013 01:28 PM
Hello Troyflex,
You are right, that is exact !
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
