GlobalProtect - Multiple Client Settings

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

GlobalProtect - Multiple Client Settings

L0 Member

Following a change to move from LDAP (Local Domain Controllers) to Azure SAML with MFA enabled we are experiencing an issue with the use of multiple Client Settings Configs on a single Gateway.

 

We use the users section to identify a subset of users that only require RFC1918 IP ranges to traverse the VPN and all remaining users will hit the secondary config for all traffic to traverse the VPN.

 

Previously we would identify the users on the first config with the the following format - DOMAIN\USER.NAME

However since the change I believe users will be identified by the email address format - USER.NAME@DOMAIN.COM

 

I have changed this section to specify the email address format, however this is still not working and all users are hitting the secondary Config instead.

 

I have restarted the Management Server and rebooted the device.

 

I have also deleted the old LDAP configuration.

 

Please advise if you have run into this issue before and if you were able to find a resolution.

 

Thank you

2 REPLIES 2

L4 Transporter

Are you matching individual users or are you matching groups in your config? If you look in your firewall logs what is the user-id information coming across as? With Azure SAML would recommend setting up Palos Cloud Identity Engine 

 

Cloud Identity Engine (paloaltonetworks.com)

Configure the Cloud Identity Engine as a Mapping Source on the Firewall (paloaltonetworks.com)

Hi,

 

This is done by individual username.

In the GlobalProtect logs the authentication is logged with the email address, however when the email address is specified on the configuration, this is still ignored and the secondary "ANY" configuration is used.

 

In Traffic logs, any traffic passing through the firewall via GlobalProtect the User-id showing in logs would be domain\user.name.

 

Thank you.

  • 316 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!