I am working on a migration- ASA to Palo. ASA has muliple remote access vpn's setup - all terminating on outside interface ip address. For example, a RA vpn for employees - authenticating against AD, another for contractors- user accounts created locally on ASA. The IP Pool is different in call instances.
Now, I want to create a like for like RA vpn setup on Palo. I understand I can use physical interface public ip address for my portal and 1st gateway.
Question: what about the second gateway? can it be created utilizing the same public ip address so that whether it's an employee or contractor- they all connect to the same public IP address- and depending on how they authenticate they get different access? I will need multiple gateways so as to define 1. first gateway- authenticate via AD, second via LOCAL accounts created on the firewall. Apologies, I am somewhat new to Palo Alto firewalls and this is my 1st projet.
From the above description i understand that you only want to use multiple gateway so that you can have different authentication profile for different users
If you have used one ip adderss as your gateway you will not be able to call the same ip address again to create a gateway again.
# One solution for your requirement is to use Authentication Sequence.
# Call multiple auth profile in authentication sequence and call this auth sequen under your gateway( in place of auth profile )
some details for auth sequence
In some environments, user accounts reside in multiple directories (for example, local database, LDAP, and RADIUS). An authentication sequence is a set of authentication profiles that the Palo Alto Networks device tries to use for authenticating users when they log in. The device tries the profiles sequentially from the top of the list to the bottom—applying the authentication, Kerberos single sign-on, allows list, and account lockout values for each—until one profile successfully authenticates the user. The device only denies access if all profiles in the sequence fail to authenticate.
I hope this may fulfil you requirements
I think the best way to solve this problem would be to have multiple client configurations but only use 1 portal and 1 gateway.
I have grabbed a few screenshots of a simple configuration for you to take a look at below, you can control access based on users & groups in your policies.
hope this helps,
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!