02-22-2019 01:02 AM
Hallo,
I am new in PA matter, coming from Fortinet / Cisco (regarding to Firewall / UTM matter) and like to know if it is possible to have different geo location ip blocking restrictions / rules for the same service.
e.g. Access with Global Protect VPN
- Usergroup A: Only access with GP from Germany
- Usergroup B: Access with GP from whole Europe
Thanks all for reading and thinking about it
Best regards,
Markus
02-22-2019 02:54 AM
@MarkusMix if you take a look at this link then yes it should be doable from V8.
i did have a play but was adding my own regions, seemed pointless in the end as all our UK wifi is natted to the same IP...
anyhows... take a look here...
03-04-2019 11:01 PM
@Mick_Ball I´ll test that but this is only for gp.
I guess for special web addresses, which we do host in DMZ, this is not possible, right?
03-05-2019 12:46 AM
for a web hosted in your DMZ, yes this is possible without GP.
create a security policy and add the region to the source address. you can also mix this with user groups, zones, applications etc...
03-05-2019 12:48 AM
User-ID on outside interface?
03-05-2019 09:06 AM
@MarkusMix wrote:User-ID on outside interface?
Is a very risky and dangerous idea. There have been vulnerabilties in the past about exploiting the user-id process (I think in ver 6 code) and the main factor was an admin had to enable user ID process on an externally facing zone.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
