GlobalProtect access policies

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

GlobalProtect access policies

L2 Linker

If I want different GlobalProtect VPN users to have access to different resources, do I need to create separate Gateways and have the GP license?

5 REPLIES 5

L6 Presenter

Hi Jeff,

If you need different users to access different resources then please create different separate gateways and this doesn't require a GP license.

Thanks,

Sandeep T

Okay, thanks.  So when I create a separate Gateway, should I be able to select the same interface and IP address for it?  I haven't been able to do that.  It's not an available choice.  I select the same interface but am not able to use the same IP address.  Basically I want the same configuration but with a smaller group of host to which the traffic will tunnel for different groups of users.  Is there any documentation that shows this kind of  configuration?  Thanks.

This is expected. You cannot have two gateways with same IP address,you need two IP's. In your case I cannot think of anything which you can give different access to different hosts with one gateway. You can do this with two gateways but you are hitting the IP address problem with this option. 

Okay, just so I'm clear about this.  I have one PAN firewall using one Untrust interface with an IP address.  The GlobalProtect VPN gateway configuration I have allows users to access an A.B.C.D/16 network on the Trust side of the firewall. 

But you're saying that there's no way to have another set of users use the GlobalProtect VPN to access a more limited set of hosts within that network, say A.B.C.D/24 or A.B.C.D/32.  Do I have that right?  Thanks again.

I missed a whole point of the users !!my bad. You can do it with source users.

Create a Global protect gateway allow a A.B.C.D/16 network for all users.

Now create security policies based on users and in security policies you can allow certain users to reach certain hosts.

  • 3771 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!