Is there a way to allow specific GlobalProtect users to only connect from specific public IP addresses? For example say I only wanted to allow user1 to connect from IP address 22.214.171.124, and if user1 connects from any other public IP address, or if user2 is trying to access from 126.96.36.199, to have that access be denied?
I can't really think of a clean way of doing this. The only way that you could limit the public IP to my knowledge is limit who can connected to a specified gateway and then assign the required public IP an access policy that would allow only them to get to the gateway IP. This of course would mean that you would have to have a gateway for any user that you wished to limit in this way.
No such option exists yet. The only thing (and is broader than what's asked) would be to allow select few IPs in the Security policies but it wouldn't have a user<-->IP pairing.
But in addition to the solition of @BPry, there is may be another (really) unconventional way: Captive Portal. You could allow access to the global Protect Gateway only for your specific user, which will be presented the captive portal login form when he tries to connect with a browser. It also depends on the fact if you have the portal on the same device or on another (it would also work on different devices with user-id-redistribution) because this is probably the only valid website where you can put the captive portal in front of (as I assume you only want to limit the GP access and not access to other ressources which are may be in your DMZ)
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!