- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
02-03-2022 11:26 AM
Hi all,
After enabling SAML authentication on the globalprotect vpn I can no longer assign vpn attributes to different users such as the IP pool and include routes. Mapping users is out of questions since my organisations has 5000+ users.
I am in a situation where the only solution would be to configure one vpn per firewall. A scenario that I am trying to avoid.
I haven't been able to find documentation on how to configure multiple gateways behind the same public ip address. Is this even possible with PA? If so, how can it be done?
Considering what I am asking for cannot be done. What would be the best design strategy in this case?
TIA
02-07-2022 04:55 AM
how come you can no longer assign different IP pools? this is probably due to a user-ID (upn) mismatch with group mapping (samaccountname) ?
if you try to fix this by changing the group mapping to accomodate for the SAML username format, you should be able to assign multiple profiles in the same gateway
if you are unable to fix it that way, you can still use port forwarding (PAT) to multiple loopback interfaces
02-07-2022 05:58 AM
Please apologise for my ignorance, according to PA usernames are matched based on the user attributes that the firewall reads from the LDAP-compliant directory. Group mapping requires a LDAP server.
Thus i conclude this cannot be done with SAML
PAT is whatt i am looking for as a solution, however i havent figure out how can configure multiple gateways using PAT and loopback interfaces. It would be nice to have an example as reference.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!