GlobalProtect - blocking single user account

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

GlobalProtect - blocking single user account

L2 Linker

We want to use an authentication profile that matches against a fairly generic LDAP AD group in the Allow list tab. Is there a way of creating exceptions to the allow list for blocking individual user accounts from using the service, should we need to at any stage?

2 accepted solutions

Accepted Solutions

Cyber Elite
Cyber Elite

Hello,

If I understand your inquiry correctly, yes you can block a single user. You would obviously need to have one of the user-id options available so scan for that users id. When it comes to the policies, make the more specific one higher prirority than the general one.

 

Example:

Security policy to block the single user

Security policy to allow everyone else

 

I hope this helps.

 

Cheers!

View solution in original post

Otakar.Klier is correct; as long as you have the deny entry further above your allow entry then it would work perfectly fine and any user-id identified in your deny list is denied. 

View solution in original post

5 REPLIES 5

Cyber Elite
Cyber Elite

Hello,

If I understand your inquiry correctly, yes you can block a single user. You would obviously need to have one of the user-id options available so scan for that users id. When it comes to the policies, make the more specific one higher prirority than the general one.

 

Example:

Security policy to block the single user

Security policy to allow everyone else

 

I hope this helps.

 

Cheers!

Otakar.Klier is correct; as long as you have the deny entry further above your allow entry then it would work perfectly fine and any user-id identified in your deny list is denied. 

Hi, yes I agree a security policy rule using the User-ID column can be used to block the traffic of a connected client, but the key here is that would only take effect after they've connected. What I was hoping to be able to achieve is to prevent a specific user authenticating in the first place, who is a member of the larger AD group referenced in the Allowed List.

 

As far as I can tell, the initating packets to set up the IPSec tunnel do not include a User-ID at this point, you only start seeing that column populated after the tunnel is established. 

Hello,

So you do not wish for them to connect to the VPN? Perhaps I am not understanding your question properly.

 

Please advise,

Okay, then you would need to take them out of your authentification profile under the object tab. Under your LDAP/Radius/Whatever server there is an allow list under the advanced options. It might be worth making a VPN-Allow AD group and putting anyone who needs VPN access under that group, this would keep anybody that is not in that specific AD group access to the VPN gateway.

To my understanding their is no way to do a 'not' statement under this option. 

  • 2 accepted solutions
  • 4626 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!