Restricting Global protect VPN access to specific countries

cancel
Showing results for 
Search instead for 
Did you mean: 

Restricting Global protect VPN access to specific countries

L1 Bithead

How to configure Global Protect vpn users to access from only specific countries ?

1 ACCEPTED SOLUTION

Accepted Solutions

also... in version 8.something you can offer gateways dependant on what country the user is connecting from...

 

network/portal/agent/configs/external

 

this is the help link...

 

Source Region—Source region for client devices. When users connect, GlobalProtect recognizes the device region and only allows users to connect to gateways that are configured for that region. For gateway choices, source region is considered first, then gateway priority.

 

 

View solution in original post

12 REPLIES 12

L4 Transporter

You can create an inbound VPN security policy that is only allowing from those geographical regions, the firewall has built-in regions that you can choose from or you can define your own

 

On my lab device I have it setup to do this. depending on your topology/config it may vary but should be easily accomplished and you can narrow it down to the layer 7 specific apps as well

also... in version 8.something you can offer gateways dependant on what country the user is connecting from...

 

network/portal/agent/configs/external

 

this is the help link...

 

Source Region—Source region for client devices. When users connect, GlobalProtect recognizes the device region and only allows users to connect to gateways that are configured for that region. For gateway choices, source region is considered first, then gateway priority.

 

 

View solution in original post

Thank you hshawn.

Thank you MickBall. I have 8.1.0 version and this is the vpn setting i was lookin for. 

I tried this as shown below, but did not work as expected. Global protect can still connect from other countries. I have only one portal and one gateway.

Capture.JPG

 

What happens if you remove the “Any” from region settings...

same effect without "Any". i already tried this.

OK worth a try.. I must admit I have never used it but I just noticed the option when was looking into gateway priority.

 

If it's causing an issue perhaps it should be logged as a fault with support.

 

going by the documentation, it should work.

 

can you confirm that your PA is deffo recognising the regions you are connecting from.

In the log, source country is showing corrctly. 

Also "show location ip x.x.x.x" is showing correct country

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!