Lock down VPN for certain users

Reply
Highlighted
L1 Bithead

Lock down VPN for certain users

I am fairly new to Palo Alto so please forgive me if this is a simple answer or answered somewhere else.

I have a requirement to lock down our Global protect for our vendors. Here is what I have.

I have group mappings and User-ID mappings set up and working fine.

I have 2 GP portals and 2 gateways set up. 1 portal\gateway for company users and 1 portal\gateway for vendors.

I have 1 tunnel for my Corporate VPN and 1 Tunnel for my Vendor VPN

The company portal comes in on one external IP address and the vendor comes in on a different IP address.

 

I have 3 security zones set up.

Trust (Internal network)

Untrust ( external network) company VPN users enter through this zone.

Vendor (external network) All vendors enter through this zone.

The Untrust & Vendor zone traffic come in on the same external Interface (11) and the trust traffic leaves out external interface (11)

 

At this time, the company VPN works just fine and all authorized users can access all resources.

 

The Vendor VPN users can connect but I can't seem to figure out how to lock them down to only access certain servers or applications. In the GP gateway for the vendors, I have the appropriate VLAN allowed in the Split tunnel config.

 

I have been working with the security policies and I think my answer lies there but I am not sure how to get there from here.

 

In testing, the vendors have access to the appropriate VLAN, they only have RDP access (No http/https/etc) to the appropriate server(s) but just by IP only, not name.

 

I can see in the monitoring logs the port 53 traffic to my domain controllers is being denied by the interzone-default rule. Do I need to allow some sort of domain services so this flows as I want? If so, how is the best way to accomplish this?

 

I can't seem to figure out what I am missing. Any help would be great.

 

 


Accepted Solutions
Highlighted
L4 Transporter

The tunnel interface on your vendor GlobalProtect gateway is in the Vendors zone, and your DNS server is in the Trust zone, correct?


If this is the case, you’ll need a security policy with source zone Vendors and destination zone Trust, destination address of your DNS server(s), and application of DNS in order to permit the traffic. You’re on the right track!

View solution in original post


All Replies
Highlighted
L4 Transporter

The tunnel interface on your vendor GlobalProtect gateway is in the Vendors zone, and your DNS server is in the Trust zone, correct?


If this is the case, you’ll need a security policy with source zone Vendors and destination zone Trust, destination address of your DNS server(s), and application of DNS in order to permit the traffic. You’re on the right track!

View solution in original post

Highlighted
L1 Bithead

Owen,

 

That worked. Exactly what I needed.

 

I have one last question. Would it be more secure to leave the access route blank and just allow access through the security rules?

By removing the all VLAN's from the gateway config, access still works. Can you see this as an issue down the road?

Highlighted
L4 Transporter

Glad to help!  That gave me fits for a week or two not long ago.

"More secure" might be hard to answer, given I don't fully know your environment.  If you want to make sure all their traffic is running through the VPN connection it might make sense.  It would be slightly simpler for future changes.  You'd probably need a security policy for Internet access from the vendor zone if needed, and others for any internal services like DNS.  Then you could created policies for specific users or groups giving them access to whatever specific servers/resources then need on your internal zones.

Highlighted
L1 Bithead

Our environment is fairly simple and we only have a few vendors connecting in. My thought is, if I don't add a VLAN to the access route in the split tunnel configuration of the gateway config and give them no direct access to local network it locks the vendor down even more.If they need internet access, I can do it through security as you stated. THoughts?

Highlighted
L4 Transporter

Yes, to lock them down the most, put 0.0.0.0/0 in the Include section, nothing in the Exclude section, and check the "No direct access to local network" checkbox.  This will cause all the client's traffic to go down the VPN tunnel.  Whether you do 0.0.0.0/0, or specify the VLAN in the split tunnel config, you're still going to have to make the security policies to allow traffic from your Vendor zone to your Trust zone (assuming you haven't modified your interzone-default rule).  Make sure you check the "Log at Session End" checkbox under Actions > Log Setting in your security policy if you want to record hits in your monitor tab.

Let me know if you have any other questions, or mark the issue solved if you get it all working.

Highlighted
L1 Bithead

Owen,

 

Thank you for all the help. I have made the changes for my test portals and all works well. I have marked your response as a solution.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!