04-19-2018 08:38 AM
How to configure Global Protect vpn users to access from only specific countries ?
04-19-2018 09:25 AM
also... in version 8.something you can offer gateways dependant on what country the user is connecting from...
network/portal/agent/configs/external
this is the help link...
Source Region—Source region for client devices. When users connect, GlobalProtect recognizes the device region and only allows users to connect to gateways that are configured for that region. For gateway choices, source region is considered first, then gateway priority.
04-19-2018 09:02 AM - edited 04-19-2018 09:02 AM
You can create an inbound VPN security policy that is only allowing from those geographical regions, the firewall has built-in regions that you can choose from or you can define your own
On my lab device I have it setup to do this. depending on your topology/config it may vary but should be easily accomplished and you can narrow it down to the layer 7 specific apps as well
04-19-2018 09:25 AM
also... in version 8.something you can offer gateways dependant on what country the user is connecting from...
network/portal/agent/configs/external
this is the help link...
Source Region—Source region for client devices. When users connect, GlobalProtect recognizes the device region and only allows users to connect to gateways that are configured for that region. For gateway choices, source region is considered first, then gateway priority.
04-19-2018 01:52 PM
Thank you MickBall. I have 8.1.0 version and this is the vpn setting i was lookin for.
04-24-2018 11:06 PM
I tried this as shown below, but did not work as expected. Global protect can still connect from other countries. I have only one portal and one gateway.
04-24-2018 11:25 PM
What happens if you remove the “Any” from region settings...
04-25-2018 12:49 AM
same effect without "Any". i already tried this.
04-25-2018 12:56 AM
OK worth a try.. I must admit I have never used it but I just noticed the option when was looking into gateway priority.
If it's causing an issue perhaps it should be logged as a fault with support.
going by the documentation, it should work.
can you confirm that your PA is deffo recognising the regions you are connecting from.
04-25-2018 02:21 AM
In the log, source country is showing corrctly.
Also "show location ip x.x.x.x" is showing correct country
05-13-2019 06:56 AM
@TechnologySvcs , did you get this working?
I require this capability in a new GP deployment and would like to avoid putting another device upstream to restrict the portal and gateway access by region.
Thanks
05-14-2019 08:29 AM
fyi, in my case it did not work at that time. I haven't tried again.
But i believe it is possible to restrict Global protect access to your public ip address using security policy rules.
Try creating two rules as mentioned below.
RULE1
--------
source zone : outside
source address : IN (for eg. India, add required countries)
destination zone : outside
destination address : x.x.x.x (your public ip)
applications : panos-global-protect, panos-web-interface, ssl,
service : application-default
action: allow
RULE2
--------
source zone : outside
source address : any
destination zone : outside
destination address : x.x.x.x (your public ip)
applications : panos-global-protect, panos-web-interface, ssl,
service : application-default
action: deny
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
