Restricting Global protect VPN access to specific countries

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Restricting Global protect VPN access to specific countries

L1 Bithead

How to configure Global Protect vpn users to access from only specific countries ?

1 accepted solution

Accepted Solutions

also... in version 8.something you can offer gateways dependant on what country the user is connecting from...

 

network/portal/agent/configs/external

 

this is the help link...

 

Source Region—Source region for client devices. When users connect, GlobalProtect recognizes the device region and only allows users to connect to gateways that are configured for that region. For gateway choices, source region is considered first, then gateway priority.

 

 

View solution in original post

12 REPLIES 12

L4 Transporter

You can create an inbound VPN security policy that is only allowing from those geographical regions, the firewall has built-in regions that you can choose from or you can define your own

 

On my lab device I have it setup to do this. depending on your topology/config it may vary but should be easily accomplished and you can narrow it down to the layer 7 specific apps as well

also... in version 8.something you can offer gateways dependant on what country the user is connecting from...

 

network/portal/agent/configs/external

 

this is the help link...

 

Source Region—Source region for client devices. When users connect, GlobalProtect recognizes the device region and only allows users to connect to gateways that are configured for that region. For gateway choices, source region is considered first, then gateway priority.

 

 

Thank you hshawn.

Thank you MickBall. I have 8.1.0 version and this is the vpn setting i was lookin for. 

I tried this as shown below, but did not work as expected. Global protect can still connect from other countries. I have only one portal and one gateway.

Capture.JPG

 

What happens if you remove the “Any” from region settings...

same effect without "Any". i already tried this.

OK worth a try.. I must admit I have never used it but I just noticed the option when was looking into gateway priority.

 

If it's causing an issue perhaps it should be logged as a fault with support.

 

going by the documentation, it should work.

 

can you confirm that your PA is deffo recognising the regions you are connecting from.

In the log, source country is showing corrctly. 

Also "show location ip x.x.x.x" is showing correct country

@TechnologySvcs , did you get this working?

 

I require this capability in a new GP deployment and would like to avoid putting another device upstream to restrict the portal and gateway access by region.

 

Thanks

fyi, in my case it did not work at that time. I haven't tried again.

 

But i believe it is possible to restrict Global protect access to your public ip address using security policy rules.

 

Try creating two rules as mentioned below.

 

RULE1

--------

source zone : outside

source address : IN  (for eg. India, add required countries)

destination zone : outside

destination address :  x.x.x.x (your public ip) 

applications : panos-global-protect, panos-web-interface, ssl, 

service : application-default

action: allow

 

RULE2

--------

source zone : outside

source address : any

destination zone : outside

destination address :  x.x.x.x (your public ip) 

applications : panos-global-protect, panos-web-interface, ssl, 

service : application-default

action: deny

 

@fwmike , Hi.

 

yes, gateway selection visa regions does work for both windoze and ios.

  • 1 accepted solution
  • 32228 Views
  • 12 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!