This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

One GP portal, forward select users to alternate firewall zone?

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

One GP portal, forward select users to alternate firewall zone?

jasonbailey
L1 Bithead

‎12-19-2017 02:11 PM

Hi all,

 

We currently have a single GlobalProtect gateway, single portal VPN configuration which happens to work really well (currently running on a single PA-3020). This gateway/portal combination first authenticates against LDAP (employees) and then against the local user database.

 

What I'd like to do, however, is add support for vendors and contractors who need limited/temporary access to select resources on our network by way of our VPN. I have a local (local to the firewall) user group full of such accounts. What I'd like to know is if there is a way to redirect users from this aforementioned vendors group that have logged into the same GP portal and gateway into another zone that is highly restricted and let employees have less restricted access.

 

My thinking may be off, but what I did is created an arbitrary VLAN and then added it to a highly restricted "vendor-vpn" zone. The VLAN interface is connected to a virtual router that can route traffic to the intranet (naturally if security policy allows). My main question is, is there an easy way to route such users from the GP gateway to the vendor vlan? My thought was to use a PBF policy rule, but I'm not experienced with them, and they're for egress traffic leaving the firewall.

 

Basically the idea is to segment/isolate such users from the employees immediately after login and drop them into a highly restrictive area that they can't get out of unless I explicitly allow via security policy rules.

 

Is it doable? Considering I only have one public IP to operate any VPN service on, is there a better way?

0 Likes Likes
1 REPLY 1

BPry
Cyber Elite
Cyber Elite

‎12-19-2017 02:33 PM

@jasonbailey,

You wouldn't really need to do anything that complicated if you don't want to. You could simply modify the Agent Client Settings options in the Gateway configuration. This would allow you to make it so that certain users were granted a seperate IP Pool and Access Routes. 

Depending on how granular you would be looking to get you could make it so that user 'bpry' was given an IP of 172.16.252.150 and was only given an Access Route of 10.191.16.61/32. You could then build the appropriate security policies and ensure that the vendor only ever had access to whatever they needed. 

 

  • 1602 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks