Global Protect pre-logon and user IP Pools

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Global Protect pre-logon and user IP Pools

L1 Bithead

I'm wondering if anyone can help. We have global protect setup and i want to use the same IP Pool for pre-logon user's, and once authenticated have that same IP pool used for the user. So when i am setting this up in the client settings area of the Global Protect gateway area, i would like to add a pre-logon profile with a pool, then add the users profile with the same IP Pool. Attached is a screen shot of the configuration area

1 accepted solution

Accepted Solutions

I can show via 2 screen shots

 

Here, i just cloned my gateway config, to simulate wanting to have the same subnet used by 2 profiles

 

SteveCantwell_1-1624460012393.png

When I commit, the validation fails and you cannot commit.

 

SteveCantwell_0-1624460002989.png

As I mentioned, I have experienced this first hand.  My recommendation is that you define (2) /25 subnets, one for prelogin and one for your remaining users.

Help the community: Like helpful comments and mark solutions

View solution in original post

11 REPLIES 11

L1 Bithead

...

Cyber Elite
Cyber Elite

Hello there.

 

I have tried this before, and the OS will not allow it.  What I typically do, is take a /24 and break it into a /25.

This way half of your prelogin will get a subnet that is still routable, so when they actually log onto the computer (user login) they are getting a different IP from the 2nd subnet... but from a routing table perspective, you can just add a /24 to your routing table to route the traffic to your FW (default gateway)

Help the community: Like helpful comments and mark solutions

L7 Applicator

Hi @markdaniel , sorry to ask as may have misread post but if you require the same pool then why create a separate profile for pre logon users...?

We have multiple user profiles in the client settings for different customers, not all of them use pre-logon. We have one set of customers that use pre-logon so we have a pre-logon profile and an users profile in the client settings. They both have different IP pools. My question is, can we somehow have the ip pools the same for the 2 client profiles or not?

The answer is no.

Thank you.

Help the community: Like helpful comments and mark solutions

OK thanks, I'm happy to accept, can you point me at any documentation to say that isn't supported? or is it supported in version 10?

I can show via 2 screen shots

 

Here, i just cloned my gateway config, to simulate wanting to have the same subnet used by 2 profiles

 

SteveCantwell_1-1624460012393.png

When I commit, the validation fails and you cannot commit.

 

SteveCantwell_0-1624460002989.png

As I mentioned, I have experienced this first hand.  My recommendation is that you define (2) /25 subnets, one for prelogin and one for your remaining users.

Help the community: Like helpful comments and mark solutions

Oh I see....   but what would happen if you did not put IP pools in each of the gateway\client\configs and put one big pool in the gateway\agent\client ip pool?  would each user get their own profile (for whatever reason) and all share the same pool...?

With the proposal of @Mick_Ball it definately is possible to have the same IP pool for different client settings. But as @markdaniel wrote there are also different customers on that same gateway so I don't know if it is ok if all these users from different customers are in the same IP pool. Another possibility would be to add multiple global protect gateways - one for each customer or one for clients without pre logon and one for prelogon users. This way everythings can be separated even better. Portal could still be the same for the diffetent customers.

Thanks for your response but we only have the 1 VM-Series Firewall.

@markdaniel Even on one firewall you can have more than one global protect gateway configuration.

  • 1 accepted solution
  • 5362 Views
  • 11 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!