GlobalProtect assigning zone based on AD group membership?

Reply
Highlighted
Not applicable

GlobalProtect assigning zone based on AD group membership?

I'm fairly sure I can't do as the subject line, so I'll explain why I think I want it, and hope someone can suggest a better workaround.

We're a college campus with (roughly) 3 classes of users: students, general faculty and staff, and "special" staff. On the wired/wireless networks, we segregate users based on 802.1X and some pretense of physical security. This allows for fairly coarse-grained firewall policy based on zones. We do have rules on the wired/wireless networks that make use of User-ID, but they're rare. As many of you know, the User-ID/group mapping agents have not been terribly reliable.

Ideally, I think I would like a single self-service portal. We would only need to document and support the one. Neither the user nor the help desk would need to know or care which user goes where. Anyone could visit the same portal and get the same (?) GlobalProtect client. Group membership would be re-evaluated and zone assigned at each connection to the VPN gateway. Students would be dropped into an Untrust-Student zone, sysadmins into a Trusted-Staff zone, etc. There would be no need for a separate firewall zone, and no need for duplicate rulesets.

The best I can come up with right now is multiple portals and multiple gateways, with a (trivial) locally written page to request username, evaluate group membership, and redirect to the most appropriate portal. At the portal/gateway, an authentication profile would verify access. Then I could connect each gateway's tunnel to the appropriate zone, and not have to write any new firewall rules. But I would need to create and maintain N portals, N gateways, N authentication profiles, N loopback IP addresses and certificates, etc. Maybe 2N due to platform considerations with dual-factor authentication. (I own only the base license, not Gateway/Portal. It looks like Windows/MacOS would use the PAN GP client, which fully supports challenge/response callback to a DuoSecurity RADIUS server, which we like. The native iOS/Android IPSec clients can not work with DuoSecurity, so to get a second factor there, I would be using client certificates, which are actually easier to support on mobiles than on full PCs.)


Accepted Solutions
Highlighted
L3 Networker

Re: GlobalProtect assigning zone based on AD group membership?

Hi,

You can create multiple portal and gateway pairs without the license. But you cannot create one portal and multiple gateway without the license.

View solution in original post


All Replies
L3 Networker

Re: GlobalProtect assigning zone based on AD group membership?

Hi,

You can achieve this by having single gateway but depending the user he/she gets the gateway config for that particular security group.

You would have to burn 3 ip addresses based on the 3 groups that you have. ( you would need a gateway license for this ).

Network > Portal > Client Config, here would notice that configs can be configured based on groups.

Hope that helps.

Highlighted
Not applicable

Re: GlobalProtect assigning zone based on AD group membership?

In PANOS version 5.0 (which I should have mentioned), that's under Portal config not Gateway config. Would this still be a Gateway license?

It appears that I can create multiple portals and gateways with just the base license, and at least with native IPSec clients I can use them all.

Is there a handy chart in a tech note somewhere of what exactly the Portal and Gateway licenses do?

Highlighted
L5 Sessionator

Re: GlobalProtect assigning zone based on AD group membership?

Here is a doc which talks about the licenses:-https://live.paloaltonetworks.com/docs/DOC-4768

Highlighted
Not applicable

Re: GlobalProtect assigning zone based on AD group membership?

I'm confused. It seems I can define and use multiple portals and multiple gateways on 5.0.4 with only base licenses. Is this a bug that I should expect to see "fixed" at some later date?

Highlighted
L3 Networker

Re: GlobalProtect assigning zone based on AD group membership?

Hi,

You can create multiple portal and gateway pairs without the license. But you cannot create one portal and multiple gateway without the license.

View solution in original post

Highlighted
Not applicable

Re: GlobalProtect assigning zone based on AD group membership?

You can create multiple portal and gateway pairs without the license. But you cannot create one portal and multiple gateway without the license.

It depends what you mean by"multiple."

In 5.0.4, it appears that I can create a single portal, but multiple gateways, and use AD groups to assign clients to the correct gateway under Network > Portal > Client Config, all without a license.

What I cannot do without a portal license is define multiple gateways within a single client config, which large orgs need for geographic load-balancing or failover purposes. I am also missing the iOS/Android apps and HIP -- nice, but probably not worth $7500/year for us.

I also cannot assign zones dynamically for native IPSec clients. All I get is PAN GP client config. Still, this is pretty good; it covers all the likely self-service scenarios. Due to the complexity of IPSec/Certificate deployment on iOS and especially Android, mobile device VPN installs are probably going to be performed by trained help desk staff anyway.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!