GlobalProtect Access-list

cancel
Showing results for 
Search instead for 
Did you mean: 

GlobalProtect Access-list

L2 Linker

obalHello

He have several servers behind a Palo Alto Firewall. As they are managed by different admin groups we have access lists that filter the management acceso.

So:

- Unix_Admin_Network (10.1.1.0) -> has access ssh access to Unix Servers

- Windows_Admin_Network (10.2.2.0) -> Has Access RDP access to Windows Servers

- Networking_Admin_Group (10.3.3.0) -> Has HTTPS y SSH to routers, load balancers and switches management.

We are forced by Security Policy to implement a VPN with RSA Token authentication in order to allow the management access.

We have configured it, but as I have used IPSEC witch a common address Pool. How can I filter the access? Now all the groups have management access to al the servers as the connection is made with an IP Address of the same pool.

Would it be possible to use LDAP authorization checking which LDAP group each user belongs to?

If the VPN is configured without IPSEC and no Address Pool all the connections would me made with the user's orginal IP Address But How can you know if the connection is made with or without VPN connection established?

Thank you

0 REPLIES 0
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!