DOTW: GlobalProtect and Static IP

Showing results for 
Show  only  | Search instead for 
Did you mean: 
L7 Applicator

DOTW-GP and Static IP.png

Hello everyone,

In this week's "Discussion of the Week," I will be covering a question that I see pop up in the LIVEcommunity all the time, and that is how to configure GlobalProtect with Static IP addresses. 

I apologize if it's a little confusing to cover a topic that hasn't been seen this week, but more importantly, this topic is one that I see come up all the time, and I want to take some time to help address and provide resources to help community members get this working properly.


So, this has been an ongoing topic for years.

I'll give you a couple of examples of people asking about it on the discussion areas:

Static IP for GP User

Global protect static IP

How to get the same ip address for global protect client


How to configure?

Now, there can be a couple of ways to accomplish this... and I will try to provide you links to this documentation to help lead you in the right direction to do so.


The big problem when it comes to Static IP addresses and GlobalProtect is to ensure that you get the same IP (Static IP) every time that you connect. And up until recently, a real dedicated IP address was not supported, but an IP Pool was.


Inside of the following KB article, you can find a way to configure a workaround to setup the IP Pool range:

How to Configure a GlobalProtect Client to Get the Same IP Address


But now (recently) this is something you're able to accomplish. But in order to achieve this, you need to have an LDAP (Active Directory) setup.

All of the details on how to configure it are in this KB entry:

How to Assign a Fixed IP address to GlobalProtect Users with Active Directory (LDAP) Authentication ...

This article details exactly what is needed (including Active Directory (LDAP)) and how to configure both sides to accomplish this.



Of course, another way to accomplish this would be to use User-ID inside of your firewall configuration. Therefore, it doesn't matter what IP address the client has or where they are coming from. As long as you can discover who that user is, then there's really no need for a static IP address. 

For more information about User-ID and how to configure it, please see the following articles that we have:

Getting Started: User-ID

And we also have a Best Practice Assessment Video here:

Best Practice Assessment User ID - Connection Security



Thanks for taking time to read my blog, I hope this helps.
If you enjoyed this, please hit the Like (thumbs up) button, don't forget to subscribe to the LIVEcommunity Blog area.


As always, we welcome all comments and feedback in the comments section below.


Stay Secure,
Joe Delio
End of line

  • 325 Subscriptions
Register or Sign-in