- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
06-22-2021 01:44 AM
I'm wondering if anyone can help. We have global protect setup and i want to use the same IP Pool for pre-logon user's, and once authenticated have that same IP pool used for the user. So when i am setting this up in the client settings area of the Global Protect gateway area, i would like to add a pre-logon profile with a pool, then add the users profile with the same IP Pool. Attached is a screen shot of the configuration area
06-23-2021 07:56 AM - edited 06-23-2021 07:58 AM
I can show via 2 screen shots
Here, i just cloned my gateway config, to simulate wanting to have the same subnet used by 2 profiles
When I commit, the validation fails and you cannot commit.
As I mentioned, I have experienced this first hand. My recommendation is that you define (2) /25 subnets, one for prelogin and one for your remaining users.
06-22-2021 02:06 AM - edited 06-23-2021 08:01 AM
...
06-22-2021 10:23 AM
Hello there.
I have tried this before, and the OS will not allow it. What I typically do, is take a /24 and break it into a /25.
This way half of your prelogin will get a subnet that is still routable, so when they actually log onto the computer (user login) they are getting a different IP from the 2nd subnet... but from a routing table perspective, you can just add a /24 to your routing table to route the traffic to your FW (default gateway)
06-22-2021 12:25 PM
Hi @markdaniel , sorry to ask as may have misread post but if you require the same pool then why create a separate profile for pre logon users...?
06-23-2021 12:54 AM
We have multiple user profiles in the client settings for different customers, not all of them use pre-logon. We have one set of customers that use pre-logon so we have a pre-logon profile and an users profile in the client settings. They both have different IP pools. My question is, can we somehow have the ip pools the same for the 2 client profiles or not?
06-23-2021 06:19 AM
The answer is no.
Thank you.
06-23-2021 07:47 AM
OK thanks, I'm happy to accept, can you point me at any documentation to say that isn't supported? or is it supported in version 10?
06-23-2021 07:56 AM - edited 06-23-2021 07:58 AM
I can show via 2 screen shots
Here, i just cloned my gateway config, to simulate wanting to have the same subnet used by 2 profiles
When I commit, the validation fails and you cannot commit.
As I mentioned, I have experienced this first hand. My recommendation is that you define (2) /25 subnets, one for prelogin and one for your remaining users.
06-23-2021 08:03 AM
Oh I see.... but what would happen if you did not put IP pools in each of the gateway\client\configs and put one big pool in the gateway\agent\client ip pool? would each user get their own profile (for whatever reason) and all share the same pool...?
06-23-2021 04:08 PM
With the proposal of @Mick_Ball it definately is possible to have the same IP pool for different client settings. But as @markdaniel wrote there are also different customers on that same gateway so I don't know if it is ok if all these users from different customers are in the same IP pool. Another possibility would be to add multiple global protect gateways - one for each customer or one for clients without pre logon and one for prelogon users. This way everythings can be separated even better. Portal could still be the same for the diffetent customers.
06-24-2021 04:06 AM
Thanks for your response but we only have the 1 VM-Series Firewall.
06-24-2021 08:11 AM
@markdaniel Even on one firewall you can have more than one global protect gateway configuration.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!