03-16-2023 04:38 AM - edited 03-16-2023 04:39 AM
Hello,
I Have question regarding GlobalProtect:
I have 1 virtual PaloAlto with configured GlobalProtect. I would like to configure 2 profile, 1 for my Staff, 2 for external peoples (Like connection profile on cisco anyconnect).
difference between these 2 profiles are next:
For my staff I would like to provide auto connection to our corporate VPN when staff will be outside also some another features.
For external peoples I won't such auto connection.
Is it possible and if it is, how I can do?
Thanks in advance.
03-16-2023 06:44 AM
Yes It is possible, I did it. Please close the conversation.
03-18-2023 05:31 PM
Can you share how you did this
03-18-2023 05:32 PM
can you share how you did this
03-18-2023 10:19 PM
There's a few different ways you can go about this depending on exactly what you want to do. Seeing as one of the requirements here in this example is changing connection methods, you would have to do that aspect of things with at least a different agent configuration within the GlobalProtect Portal configuration. This will allow you to modify the connection method and modify the uninstall option for these external users, in addition to connecting them to a different gateway if needed.
Likewise some people if they're only using an on-demand connection and don't have any traditional "internal" restrictions on their portal agent configuration might just create a different gateway for external users. This might drop these external users into a different zone or give them a set IP pool to utilize within the security rulebase.
In all how you configure this is really up to you and what you're actual requirements are for each group. I've seen some people utilize the same Portal and Gateway for internal and external users and rely solely on User-ID for limiting access to different resources. This isn't something that I would personally ever configure because it leaves open the chance that a simple misconfiguration allows these external users access to things they shouldn't have.
I personally like putting all external users into their own zone as an additional security measure. That way the chance that a misconfiguration gives them too much access to any particular system is diminished within the environment. It doesn't make it zero obviously, but it just adds that additional limiting criteria.
If you open a new post about exactly what you're looking to do, I'm sure you'll get plenty of suggestions on how you can accomplish what you're looking to do.
03-19-2023 11:12 PM
Yes,
Network -> GlobalProtect -> Portals -> Agent -> added 2 separated entries (1 for staff, 2 for external)
Network -> GlobalProtect -> Gateways -> Agent -> Client Settings -> added 2 separated entries (1 for staff, 2 for external)
03-19-2023 11:30 PM
Yes,
Network -> GlobalProtect -> Portals -> Agent -> added 2 separated entries (1 for staff, 2 for external)
Network -> GlobalProtect -> Gateways -> Agent -> Client Settings -> added 2 separated entries (1 for staff, 2 for external
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
