This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

GlobalProtect - Multiple Client Settings

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

GlobalProtect - Multiple Client Settings

PT1559
L0 Member

‎01-10-2024 09:23 PM

Following a change to move from LDAP (Local Domain Controllers) to Azure SAML with MFA enabled we are experiencing an issue with the use of multiple Client Settings Configs on a single Gateway.

 

We use the users section to identify a subset of users that only require RFC1918 IP ranges to traverse the VPN and all remaining users will hit the secondary config for all traffic to traverse the VPN.

 

Previously we would identify the users on the first config with the the following format - DOMAIN\USER.NAME

However since the change I believe users will be identified by the email address format - USER.NAME@DOMAIN.COM

 

I have changed this section to specify the email address format, however this is still not working and all users are hitting the secondary Config instead.

 

I have restarted the Management Server and rebooted the device.

 

I have also deleted the old LDAP configuration.

 

Please advise if you have run into this issue before and if you were able to find a resolution.

 

Thank you

0 Likes Likes
2 REPLIES 2

Claw4609
L4 Transporter

‎01-11-2024 06:11 AM

Are you matching individual users or are you matching groups in your config? If you look in your firewall logs what is the user-id information coming across as? With Azure SAML would recommend setting up Palos Cloud Identity Engine 

 

Cloud Identity Engine (paloaltonetworks.com)

Configure the Cloud Identity Engine as a Mapping Source on the Firewall (paloaltonetworks.com)

0 Likes Likes

PT1559
L0 Member
In response to Claw4609

‎01-11-2024 03:29 PM - edited ‎01-11-2024 03:30 PM

Hi,

 

This is done by individual username.

In the GlobalProtect logs the authentication is logged with the email address, however when the email address is specified on the configuration, this is still ignored and the secondary "ANY" configuration is used.

 

In Traffic logs, any traffic passing through the firewall via GlobalProtect the User-id showing in logs would be domain\user.name.

 

Thank you.

0 Likes Likes
  • 394 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks