How to prioritise users over Remote VPN (Global Protect)

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

How to prioritise users over Remote VPN (Global Protect)

L1 Bithead

I am wondering if you can advise me on a possible or best way to achieve the following. 

 

Current Situation

==============

 

We have remote VPN enabled on our Palo Alto firewall and we are using Global protect for that. Currently everything seems to be working fine. A user comes online and given a IP and then the user is routed to our Data Center where we have allowed communication from the VPN IP range and users have access to the services they need.

 

Everyone is treated the same way.

 

Future Situation

=============

What we want is to prioritise certain users i.e. Operations user to have access to more services then the HR user.

 

I have been thinking and looking into the possible solutions and i think it can be achevied if i can map a user to an IP and then i can create a seperate firewall rule which can sit above the general rule. 

 

Would appreciate someone can direct me in the right direction please.

3 REPLIES 3

L4 Transporter

Hi,

 

If you are using global protect then you will have users mapped to IP addresses as your users would need to authenticate to your firewall to connect to global protect. So the solution to your problem would just be to create security rules allowing some users more access to the network than others.

 

You can utilise group mapping to make the rules easier to administer. In your rules you set the criteria to be that the user has to belong to a certain AD group.

 

https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/user-id/map-users-to-groups

 

regards,

Ben

 

 

Hi Ben,

 

So that i understood it correctly when you say users are mapped are users always going to get the same IP? 

 

 

Our set up is 

 

VPN Firewall------------->Core Switch-------------->Data Center Router--------------->Data Center Internal Firewall

 

So the user connects to VPN firewall, given an IP and that IP range (Spefic for the VPN) is allowed thru our core switch and Data Center Router and i have a Security policy on Data Center's internal firewall for IP range (Spefic for the VPN).

 

What i want to do is superceed a bunch of users (From different department) to have more access then the rest.

 

I have enabled user identification pn VPN zone (Where the users connect to). So whenever user comes online it authenticates via domain controller and given an IP. 

 

If the user is not going to get the same IP everytime it comes online i am not sure how can a security policy with more access would help?

 

RegardsVPN Zone.JPGDomain.JPG

Hi,

 

Users will get an IP address from the IP pool that you configure under your gateway network settings:

Screenshot_1.png

(of course you could configure it so that your clients get the same address each time)

 

The firewall will create a user-mapping table which is a table that shows which user is assigned to which IP address. When the firewall gives out an IP address during the GP connection, it will be mapped to the user that authenticated. So it doesn't matter if the clients have different addresses or not as the firewall will always know which user is on which address.

 

You then create a security policy so that the users  in the operations group can access certain resources/networks/IPs, example below:

Screenshot_3.png

 

You can create a deny rule for the other users or let them hit the default deny interzone policy.

 

hope this helps,

Ben

  • 2153 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!