Restrict Access to WAN Network PANOS9.0.x

Hi @MP2021 ,

If I understand you correctly you need to restrict access based on user identification, correct?

When it comes to user id you may want to think it as two separate components:

- User-to-IP mapping - from where firewall can gather information which ip to which user it is corresponding

- User group mapping - if you plan to use user groups (preferable), how the firewall will known which user in which user group it belongs.

I would say the most critical component is the user-to-ip mapping, and great think about PAN FW is that support multiple ways to gather this information.

- GlobalProtect - this is the simplest way, because when connecting to GP user is authenticating and FW is allocating IP for that user from the IP pool. So FW already have the information user-to-ip. In this case you only need Group Mapping, so instead of putting usernames in the rules you can put user group

- User-ID agent and agentless: in nutshell both ways is to read your DC security logs and parse the login and logout events. When user is connected inside your network and try to login to his PC. PC will authenticate the user agains the domain controller, which will create log containing username and ip address of the machine which is requesting the authentication. Once these logs are parsed your FW will have user-to-ip mapping

- Caprive Portal - if you don't want to have full user-id agent deployment and you don't have any other source, you can use the captive portal to aks the user to authenticate. That way FW again will be able to mapp the ip address with the authenticated username.

- There are other ways as well, but I wouldn't focus on them for this discussion.

---

@MP2021 wrote:

I can roughly understand what i need to do in order to set up User-ID using AD security groups, but i'm concerned that it will only affect HTTP Traffic or will end up being set for all traffic over that interface regardless of whether it's for that particular Tunnel or not.

 

Is it possible to set up User-ID/Captive Portal to only restrict access to a specified tunnel? The access required for Authorised users is HTTP, HTTPS, SSH and MySQL and is a mixture of On-Premise and Global Protect Users (around 14 Users will access).

---

Two clarifications here:

- Yes you can have captive portal/authentication policy only for specific IPsec tunnel. To enforce captive portal you are configuring authentication poliy rule. Similar to security rule you are configuring source, destination address and zone. My recommendetions is to use separate zones for each IPsec tunnel. This gives you flexability when defining your rule, because you can simply filter by destination zone.

- Authentiction policy rule does not eliminate the need of security rule. You still need to have security rule that will allow that traffic. The purpose of the auth rule is to enfoce captive portal and collect user-to-ip mapping. So what protocols/traffic will be allowed is up to you, what will be added to the security policy.

What you probably confuses you is that authentication rule can enfoce captive portal only for HTTP/S traffic. This means that if user tries to access your vpn tunnel with SSH or SQL and there is no user-to-ip mapping for his source ip, FW will simply block him = because he does not match the security rule and the authentication policy is not able to enforce captive portal. This simply means that when users wants to connect to AWS they need first to open HTTP, in order for the FW to enforce the captive portal and collect user-ip mapping, after that they can use any other protocol, because they are already authenticated.