GlobalProtect SSL VPN User Access Filtering

cancel
Showing results for 
Search instead for 
Did you mean: 

GlobalProtect SSL VPN User Access Filtering

Not applicable

Hello,

I am fairly new to the Palo Alto firewalls so I figured I would pose a question to everyone while I continue my own research into the issue. Basically, in our test setup we have SSL VPN set up so that everyone in the office can authenticate via AD and access servers and resources through the tunnel. We want to be able to segregate this in some way so we can limit who has access to what. For instance, if you are a member of IT you can access these specific set of servers, but if you are in Sales you cannot reach them. I have already read into different methods, such as using multiple gateways and security policies. I also read this might be possible through AD security groups but the description was not clear. As such, I wanted to get other's opinion on this as well and see what other options I can consider.

Also, just another random question, but is it possible for the GlobalProtect client to store multiple Portal addresses in like a drop down list to authenticate to, or am I limited to just one?

Thank you in advance for responding to this post, and I look forward to hearing your thoughts.

1 ACCEPTED SOLUTION

Accepted Solutions

L7 Applicator

Hello Sir,

Q-1

I would suggest you to enable User-ID functionality on this PA in order to achieve the same. 2 steps are mentioned below.

Step-1.  Users should authentication from an LDAP server.

Step-2 Configure the AD with multiple groups. Each group should contain required users.

Once user will authenticate through GP, the security policy will be chosen accordingly ( as per the group mapping). Such as users belongs to Engineering Dept should access Resources-1 and Resources-2 and users belongs to HR should access Resources-3 and Resources-4.

For more information about User-Identification, please follow below mentioned documents.

User Identification Tech Note - PAN-OS 4.0

Q-2 As per my understanding, it  is not possible for the GlobalProtect client to store multiple Portal addresses in like a drop down.

Thanks

View solution in original post

2 REPLIES 2

L7 Applicator

Hello Sir,

Q-1

I would suggest you to enable User-ID functionality on this PA in order to achieve the same. 2 steps are mentioned below.

Step-1.  Users should authentication from an LDAP server.

Step-2 Configure the AD with multiple groups. Each group should contain required users.

Once user will authenticate through GP, the security policy will be chosen accordingly ( as per the group mapping). Such as users belongs to Engineering Dept should access Resources-1 and Resources-2 and users belongs to HR should access Resources-3 and Resources-4.

For more information about User-Identification, please follow below mentioned documents.

User Identification Tech Note - PAN-OS 4.0

Q-2 As per my understanding, it  is not possible for the GlobalProtect client to store multiple Portal addresses in like a drop down.

Thanks

View solution in original post

You can create an LDAP server profile referring to your AD set up

Pull the groups (under User Identification >> Group Mappings >> include List) that are of interest

Reference this LDAP server and the interesting groups in the Authentication Profile

Use the Authentication profile in the Global Protection Portal / Gateway configuration

Once the user has been authenticated and been recognized as part of a particular group, any security policies you create for traffic between the SSL VPN zone and the Trust zone can reference the appropriate user groups and as such allow certain user groups (e.g.IT) to certain destination addresses and not others - depending on how you create your security policy


As for the multiple authentications, you can authenticate to only one Portal but you can have multiple Gateways configured so your traffic can take different Gateways depending on the group they may belong to. This would have to be configured under the Global Protect >> Portal >> Client Config >> Gateways section


However the first authentication will have to be to that one Portal and once the user falls in a particular group. you can decide which Gateway they can use.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!