02-22-2017 12:30 AM
Good day,
Our PA-500 is currently on PANOS 7.0.5-h2. We want to configure GlobalProtect - Multiple Gateways using the same IP Address. Is this possible?
We tried to follow the instructions here: http://dsg0.com/t/palo-alto-networks-globalprotect-with-multiple-gateways-on-one-ip-address/122 but we are getting an error that the GlobalProtect client cannot connect to XX.XX.XX.XX:1111 or XX.XX.XX.XX:2222 or XX.XX.XX.XX:3333.
Any help would be great. Thanks!
BTG-charlie
02-22-2017 09:39 AM
Any reason why you are trying to follow that guide in particular? This was more of a 'hack' to get around the licensing requipments up until 7.0.0.
Really I think that at this point you should be looking to customize your network settings on the client configuration if you are doing this for security reasons. You can assign different users different IP pools and create security policies and access routes based on the username recieved from the portal. Therefore you could have Employees recieve 172.16.1.0 and Contractors at 172.16.2.0 and IT staff at 172.16.3.0 and just build out rules based on that, all while utilizing one gateway.
02-23-2017 03:36 PM
Or AD groups instead of IP ranges, but either will work.
02-23-2017 08:14 PM
Hi BPry and Otakar.Klier,
We aim to configure different Authentication Profiles option (LDAP & RADIUS) to the same set of users. We also aim to provide SplitTunnel config and FullTunnel config to the same set of users. The aim is to produce a total of 4 available Gateway choices to users as follows:
a. LDAP - SplitTunnel
b. LDAP - FullTunnel
c. RADIUS - SplitTunnel
d. RADIUS - FullTunnel
All of the 4 configuration above will apply to the same set of users and will only be available to One IP Address.
Is this possible?
02-27-2017 03:32 PM
BTG-charlie,
The creating of these profiles is possible all within the same Global Protect Portal and Global Protect Gateway. We are doing this.
Domain users - full tunnel, limited internal network access, HIP checks, OS based
Domain admins - full tunnel, all internal networks access, HIP checks, OS based
Domain vendors - split tunnel, specific internal network access, no HIP checks, OS based
Firewall user vendors - split tunnel, specific internal network access, no HIP checks, OS based
Mobile domain users - split tunnel, specific internal access, HIP checks, iOS based
(each of these groups is provided a separate 1918 space IP range for easier Security Policy management)
The only part that you stated that worries me is doing different connection types with the same users. We are basing this on OS type and user credentials (security groups, firewall groups, or specific users). You will not be able to have one user that can log in using the same computer/device and the same user credentials to different VPN groups/profiles on the same IP using one portal/gateway or multiple portals/gateways. A HIP check will also not help with this as it is a pass/fail criteria and does not allow you to move down to the next connection in the list.
If you go to Network -> Global Protect -> Portals -> GP_Profile -> Agent -> this is where you will create all the profiles I listed above.
The same is the case for Network -> Global Protect -> Gateways -> GP_Profile -> Agent -> Client Settings -> match the profiles created in the Portals.
Once both of those are created you will use Security Policies to control the access that the VPN clients get. Again we do this based on VPN IP, Domain Security Groups, Firewall Groups, Users, and HIP checks.
Hope that is helpful.
Brian
03-01-2017 09:33 PM
Hi BrianRa,
Are you using an HA-pair PA-500 firewall? What additional licenses did you procure to make this feature work?
Your worries actually detract from the actual concern of this forum posting query. I simply removed mentioning about usage of Windows security groups on the said 4 remote-access VPN connection profiles. This can be done at a later stage once the actual problem which is multiple gateway config on 1 IP Address has been resolved.
As of now, regardless of how many security groups I make, this is still not working. If you can share some config 'workarounds' that you have made to make this work, then that would be helpful.
03-02-2017 05:26 PM - edited 03-02-2017 05:28 PM
03-03-2017 06:11 AM
Correct me if I'm wrong but what you are essentially looking to do is create different 'connection profiles' like you would on the ASA? Unfortunately @BrianRa is correct, the proper way to accomplish this is to setup multiple different agent configurations, and unfortunately I don't believe that you're going to be able to use the agent configurations if you want all users to get the option to switch between them.
04-26-2022 11:18 AM
BrianRa,
Are you using different External Gateway Addresses (FQDN) for each of the Portal Agent profiles, or are they all using the same one? Just wondering if it would be necessary or even helpful in this scenario. We are looking at deploying a similar type of configuration that you have described.
thanks,
04-27-2022 12:11 PM
Hello,
With regards to split-tunnel. I recommend only Full tunnels. Its the only way to make sure the PAN is scanning all traffic to/from VPN clients and is a finding on pretty much all compliance models.
Regards,
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
