GlobalProtect Access-list

obalHello

He have several servers behind a Palo Alto Firewall. As they are managed by different admin groups we have access lists that filter the management acceso.

So:

- Unix_Admin_Network (10.1.1.0) -> has access ssh access to Unix Servers

- Windows_Admin_Network (10.2.2.0) -> Has Access RDP access to Windows Servers

- Networking_Admin_Group (10.3.3.0) -> Has HTTPS y SSH to routers, load balancers and switches management.

We are forced by Security Policy to implement a VPN with RSA Token authentication in order to allow the management access.

We have configured it, but as I have used IPSEC witch a common address Pool. How can I filter the access? Now all the groups have management access to al the servers as the connection is made with an IP Address of the same pool.

Would it be possible to use LDAP authorization checking which LDAP group each user belongs to?

If the VPN is configured without IPSEC and no Address Pool all the connections would me made with the user's orginal IP Address But How can you know if the connection is made with or without VPN connection established?

Thank you