Limting Globalprotect client access via IP address

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Limting Globalprotect client access via IP address

L1 Bithead

Is there a way to allow specific GlobalProtect users to only connect from specific public IP addresses?  For example say I only wanted to allow user1 to connect from IP address, and if user1 connects from any other public IP address, or if user2 is trying to access from, to have that access be denied?



Cyber Elite
Cyber Elite

I can't really think of a clean way of doing this. The only way that you could limit the public IP to my knowledge is limit who can connected to a specified gateway and then assign the required public IP an access policy that would allow only them to get to the gateway IP. This of course would mean that you would have to have a gateway for any user that you wished to limit in this way. 



L4 Transporter

Hi Craig,


No such option exists yet. The only thing (and is broader than what's asked) would be to allow select few IPs in the Security policies but it wouldn't have a user<-->IP pairing.





ACE 7.0, 8.0, PCNSE 7

L7 Applicator

As @BPry and also @ansharma there's no clean way to it.


But in addition to the solition of @BPry, there is may be another (really) unconventional way: Captive Portal. You could allow access to the global Protect Gateway only for your specific user, which will be presented the captive portal login form when he tries to connect with a browser. It also depends on the fact if you have the portal on the same device or on another (it would also work on different devices with user-id-redistribution) because this is probably the only valid website where you can put the captive portal in front of (as I assume you only want to limit the GP access and not access to other ressources which are may be in your DMZ)

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!