GlobalProtect Multiple Profile

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

GlobalProtect Multiple Profile

L2 Linker

Hello,

I Have question regarding GlobalProtect:

I have 1 virtual PaloAlto with configured GlobalProtect. I would like to configure 2 profile, 1 for my Staff, 2 for external peoples (Like connection profile on cisco anyconnect). 

difference between these 2 profiles are next:

For my staff I would like to provide auto connection to our corporate VPN when staff will be outside also some another features.

For external peoples I won't such auto connection. 

 

Is it possible and if it is, how I can do?

 

Thanks in advance.

1 accepted solution

Accepted Solutions

L2 Linker

Yes It is possible, I did it. Please close the conversation. 

View solution in original post

6 REPLIES 6

L2 Linker

Yes It is possible, I did it. Please close the conversation. 

Can you share how you did this

can you share how you did this

Cyber Elite
Cyber Elite

@RickV2023,

There's a few different ways you can go about this depending on exactly what you want to do. Seeing as one of the requirements here in this example is changing connection methods, you would have to do that aspect of things with at least a different agent configuration within the GlobalProtect Portal configuration. This will allow you to modify the connection method and modify the uninstall option for these external users, in addition to connecting them to a different gateway if needed.

Likewise some people if they're only using an on-demand connection and don't have any traditional "internal" restrictions on their portal agent configuration might just create a different gateway for external users. This might drop these external users into a different zone or give them a set IP pool to utilize within the security rulebase.

 

In all how you configure this is really up to you and what you're actual requirements are for each group. I've seen some people utilize the same Portal and Gateway for internal and external users and rely solely on User-ID for limiting access to different resources. This isn't something that I would personally ever configure because it leaves open the chance that a simple misconfiguration allows these external users access to things they shouldn't have.

I personally like putting all external users into their own zone as an additional security measure. That way the chance that a misconfiguration gives them too much access to any particular system is diminished within the environment. It doesn't make it zero obviously, but it just adds that additional limiting criteria. 

 

If you open a new post about exactly what you're looking to do, I'm sure you'll get plenty of suggestions on how you can accomplish what you're looking to do. 

Yes,

Network -> GlobalProtect -> Portals -> Agent -> added 2 separated entries (1 for staff, 2 for external)

Network -> GlobalProtect ->  Gateways -> Agent -> Client Settings -> added 2 separated entries (1 for staff, 2 for external)

Yes,

Network -> GlobalProtect -> Portals -> Agent -> added 2 separated entries (1 for staff, 2 for external)

Network -> GlobalProtect ->  Gateways -> Agent -> Client Settings -> added 2 separated entries (1 for staff, 2 for external

  • 1 accepted solution
  • 1868 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!