Just a quick background on my question...
We are beginning to implement Palo Alto firewalls in our data center, and we want to start using them for SSL VPN connections. We have already gone through the basic setup process and have the SSL VPN connection working with our test group, which is mapped via LDAP and User ID. Now that this is set up, we want to tighten security around our setup. Specifically, we want to be able to start restricting what access people have when the VPN through the Palo Altos. For instance, one department should only be able to access a specific subnet, while another department may be able to access none or multiple subnets. I have read into two possible solutions: multiple gateways and security policies. However, I wanted to get your opinion on the matter and determine which is better, which is worse, which one makes more sense, other options I should consider, and any other information or recommendations people may have.
Aside from that, I have two related questions as well that goes into VPN setup. Under the VPN gateway in the Client Configuration tab, what does Access Route do? If I specify a subnet in that area, does this mean I can only access that particular subnet when I VPN in?
Secondly, not sure if its possible, but can you have multiple gateways with the same IP address, but set it up so that it maps to specific AD groups? Just an idea I was throwing around in my head with the multiple gateway solution to see if I can do that to restrict access that way.
Any help is greatly appreciated.
first, Access route will be integrated into routing table of the client which is connected by GP.So if you use 0.0.0.0/0 there, all traffic of client will come to PA when it is connected.if you just add a 192.168.10.0/24 route, only that traffic will come to PA.
secondly, more than one GW needs a license.So if you need more than 1 GW you should first be sure if you really need that or not.
You can use 1 GW but different User groups with different client profiles in Global Protect configuration and this will also work.
You can only apply different GP profiles (routes, and config) via AD user group at the portal, not the GW. Your best bet to the original post, is to enforce access in the security policy by User ID/AD groups. You can also achieve the same result by standing up separate GW's, but that could get very IP/Interface intensive, and can be simply circumvented by the user adding local routes on the client PC.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!