Palo Alto SSL VPN (GlobalProtect) Restrictions

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Please sign in to see details of an important advisory in our Customer Advisories area.

Palo Alto SSL VPN (GlobalProtect) Restrictions

L2 Linker


Just a quick background on my question...

We are beginning to implement Palo Alto firewalls in our data center, and we want to start using them for SSL VPN connections. We have already gone through the basic setup process and have the SSL VPN connection working with our test group, which is mapped via LDAP and User ID. Now that this is set up, we want to tighten security around our setup. Specifically, we want to be able to start restricting what access people have when the VPN through the Palo Altos. For instance, one department should only be able to access a specific subnet, while another department may be able to access none or multiple subnets. I have read into two possible solutions: multiple gateways and security policies. However, I wanted to get your opinion on the matter and determine which is better, which is worse, which one makes more sense, other options I should consider, and any other information or recommendations people may have.

Aside from that, I have two related questions as well that goes into VPN setup. Under the VPN gateway in the Client Configuration tab, what does Access Route do? If I specify a subnet in that area, does this mean I can only access that particular subnet when I VPN in?

Secondly, not sure if its possible, but can you have multiple gateways with the same IP address, but set it up so that it maps to specific AD groups? Just an idea I was throwing around in my head with the multiple gateway solution to see if I can do that to restrict access that way.

Any help is greatly appreciated.




L6 Presenter

first, Access route will be integrated into routing table of the client which is connected by GP.So if you use there, all traffic of client will come to PA when it is connected.if you just add a route, only that traffic will come to PA.

secondly, more than one GW needs a license.So if you need more than 1 GW you should first be sure if you really need that or not.

You can use 1 GW but different User groups with different client profiles in Global Protect configuration and this will also work.

Can you give me an example or screenshot of how to use 1GW but different user groups with different client profiles in the Global Protection configuration? I don't see an option to set up multiple client profiles.


L2 Linker

Can anyone provide some details to the previous question?

Using Global Protect with One gateway and both split - full tunnel

You can use policy with that config and make restricitons.

if your need is different then update here.

You can only apply different GP profiles (routes, and config) via AD user group at the portal, not the GW. Your best bet to the original post, is to enforce access in the security policy by User ID/AD groups. You can also achieve the same result by standing up separate GW's, but that could get very IP/Interface intensive, and can be simply circumvented by the user adding local routes on the client PC.

  • 5 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!