How to control global protect resources access by username

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

How to control global protect resources access by username

L2 Linker

Hi

 

I want to control access to resources "for users connecting through global protect" by username level.

How to do this?

And which is better assign the tunnel interface to a new zone or to the trust-zone?

 

Thanks

2 accepted solutions

Accepted Solutions

It will be checked in sequence. And the profiles will be checked in order you configured it until the user is found. 

So in your case, local wil also checked if LDAP is available but the user wasn't in your AD

View solution in original post

I can see that vsys_remo has answered if full but alreay typed my answer so will post.

 

Yes you can use Authentication Sequence for multiple auths at the same time.

It was introduced to get around the issue of different auth options for the same portal/gateway.

 

unfortunately it doesn't include certificate auth (happy to be corrected)

 

 

if your sequence is as follows

 

1. LDAP

2. Local

 

it will try 1.LDAP first. if 1.LDAP returns unreachable, unknown user, bad username or password or anything else that is not accepted it will then try 2.Local.

 

you will need to create "Authentication Profiles" for all of your authentication options and then add them in your preferred order to "Authentication Sequence".

 

 

View solution in original post

10 REPLIES 10

L6 Presenter

I think the best way to have a new zone for teh GP tunnel interface and for the user access control you need user-id enabled with AD integration.

 

Agentless (buildin):

 

https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-Agentless-User-ID/ta-p/...

 

Agent software installation:

 

https://www.youtube.com/watch?v=pqNCSNJicKU

Hi @myasin

 

There is no 'right' configuration in your situation. It depends on some more details:

  • Is the c2s vpn for internal or external employees?
  • Will the users use their private computers or corpotate ones?
  • If company computers will be used: are these devices completely under your  or your companys control (updates, antivirus, group policies - if AD integrated, ...)?
  • How much do you trust these devices which connect by vpn?
  • Do you have internet access for internal clients on the same firewall?
  • What do you use for vpn login: AD users or local firewallusers or may be users stored on a radius server?
  • Do you intend to use full or split tunneling?

In most cases it is the best way to use a separate zone for the tunnel interface...

User-ID also works with local firewallusers. You can simply enter the usernames into the security policy to restrict access to specific users and/or groups. But if you use AD users there are some more steps needed to get there (-->links posted by @TranceforLife).

 

Regards,

Remo

Hi

 

-------------------------------------------------------

  • Is the c2s vpn for internal or external employees? (for external employees connecting from home)
  • Will the users use their private computers or corpotate ones? (both)
  • If company computers will be used: are these devices completely under your  or your companys control (updates, antivirus, group policies - if AD integrated, ...)? (corporate devices under full control)
  • How much do you trust these devices which connect by vpn?
  • Do you have internet access for internal clients on the same firewall? (yes same firewall)
  • What do you use for vpn login: AD users or local firewallusers or may be users stored on a radius server? (both)
  • Do you intend to use full or split tunneling? (split)

----------------------------------------------------------

 

So if I want to use the local user database, then all what I need is to enable user identification under the zone assigned for the tunnel interface, and then reference the users in the policies from untrust to the new zone, right?

 

But what will be the case for the AD users scenario?

 

And can I use both local and AD users simultanously for the VPN authentication?

 

Thanks

Hi

 

-------------------------------------------------------

  • Is the c2s vpn for internal or external employees? (for external employees connecting from home)
  • Will the users use their private computers or corpotate ones? (both)
  • If company computers will be used: are these devices completely under your  or your companys control (updates, antivirus, group policies - if AD integrated, ...)? (corporate devices under full control)
  • How much do you trust these devices which connect by vpn?
  • Do you have internet access for internal clients on the same firewall? (yes same firewall)
  • What do you use for vpn login: AD users or local firewallusers or may be users stored on a radius server? (both)
  • Do you intend to use full or split tunneling? (split)

----------------------------------------------------------

 

So if I want to use the local user database, then all what I need is to enable user identification under the zone assigned for the tunnel interface, and then reference the users in the policies from untrust to the new zone, right?

 

But what will be the case for the AD users scenario?

 

And can I use both local and AD users simultanously for the VPN authentication?

 

Thanks

can i just ask,,, What form of authentication are they using,,,

Its still under setup.

Will use local and AD auth for global protect connecting users.

So if I want to use the local user database, then all what I need is to enable user identification under the zone assigned for the tunnel interface, and then reference the users in the policies from untrust to the new zone, right?

 

-----Correct

 

 

But what will be the case for the AD users scenario?

 

 

-----/Device/user Identification/Group Mapping Settings.

you will need an LDAP profile to connect to AD. In the settings you can select particular groups and then add these (or individual users in the groups) to the policies.

 

And can I use both local and AD users simultanously for the VPN authentication?

 

------ I prefer individual Portals/Gateways for different auths but if this is not practicle then you can use.......

/Device/Authentication Sequence.

 

it will try  all auth requests from top to bottom until it finds a match.

For the authentication sequence, can we authenticate over both local and LDAP simultanously, or will be checked in sequence "like Local Checked only if LDAP wasnt reachable"?

 

It will be checked in sequence. And the profiles will be checked in order you configured it until the user is found. 

So in your case, local wil also checked if LDAP is available but the user wasn't in your AD

I can see that vsys_remo has answered if full but alreay typed my answer so will post.

 

Yes you can use Authentication Sequence for multiple auths at the same time.

It was introduced to get around the issue of different auth options for the same portal/gateway.

 

unfortunately it doesn't include certificate auth (happy to be corrected)

 

 

if your sequence is as follows

 

1. LDAP

2. Local

 

it will try 1.LDAP first. if 1.LDAP returns unreachable, unknown user, bad username or password or anything else that is not accepted it will then try 2.Local.

 

you will need to create "Authentication Profiles" for all of your authentication options and then add them in your preferred order to "Authentication Sequence".

 

 

  • 2 accepted solutions
  • 4496 Views
  • 10 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!