How to bound an ACL to GP VPN client

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

How to bound an ACL to GP VPN client

L3 Networker

Hello
i have a need to provide a contractor with VPN access to certain resource on internal network (let’s call them 10.20.1.0/24)

I have a working VPN GP/Portal and contractor can connect to VPN with no issue. But contractor is allowed to access all internal resources not just 10.20.1.0/24

I have setup a GP policy (allow access from VPN zone to internal zone, destination 10.20.1.0/24 only), put that policy above generic VPN (allow all) and when user logs in, this policy is not hitting; instead default policy (which will allow al AD users to login) is utilized.

We are using MFA for authentication, AD has user contractor created, all looks fine. For testing i created another GP portal with local authentication, put user into local group and he is able to conenct but still not prevented from accessing internal resources.

The question is - how can i bound a ACL into VPN access policy? I know in other vendors it was mater of assigning ACL to VPN profile that can get pushed down to the user when they connect to VPN.

Apprecaite valuable inputs.

1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite

Usually companies have 2 AD groups.

VPN Users

VPN Users third party

 

Policy that permits traffic from Globalprotect zone to LAN has only VPN Users group attached.

VPN Users third party has no default access to lan (ok maybe towards domain controller to auth and resolve dns).

 

And then you add specific sec policies to every contractor who needsd access to your network.

 

In your case it might be temporary step to create top rule to allow from this user to access resource you need and second rule below it to block anything else from that user (don't forget to put his username to user field).

 

If you have 0.0.0.0/0 route towards your network then you probably want to allow contractor to access wan zone aswell not to cut his internet 🙂

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

View solution in original post

4 REPLIES 4

Cyber Elite
Cyber Elite

Usually companies have 2 AD groups.

VPN Users

VPN Users third party

 

Policy that permits traffic from Globalprotect zone to LAN has only VPN Users group attached.

VPN Users third party has no default access to lan (ok maybe towards domain controller to auth and resolve dns).

 

And then you add specific sec policies to every contractor who needsd access to your network.

 

In your case it might be temporary step to create top rule to allow from this user to access resource you need and second rule below it to block anything else from that user (don't forget to put his username to user field).

 

If you have 0.0.0.0/0 route towards your network then you probably want to allow contractor to access wan zone aswell not to cut his internet 🙂

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

VPN.jpgI do have a vpn access rule, kind of a generic, that covers all users (COMMON-SSL-VPN). Unfortunatelly contractor can login and can access all internal resources and rule actually does not hit... I even tried the rule using locally cretaed user (changed authentication accordingly) with the same results - contractor can access all resources. 

Those destinations that you covered with black box.

Are they address objects?

They have 0 at the end so I assume they have some subnetmask also set?

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

Well, it is kind of hard to grasp to the logic that i need to create a deny rule to everything else in order to limit access to certain resources, as a separate policy. Anyhow, thanks for your suggestion, i managed to get it going by following your suggestion, moving two VPN policies (allow, deny) above a common policy, and applying it to contractor's AD username. 

 

Thanks

 

  • 1 accepted solution
  • 3171 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!