12-07-2016 02:26 PM
Folks.
I have a normal Global protect portal for internal staff which works fine.
I now have been asked to provide access for a support organisation which is not staff - not employed by our company - but which needs access to certain devices inside our network.
Does anyone know if there is any way I can restrict what they access via Global Protect? Would a security policy rule on source user work, or is there some other way?
Thanks.
12-12-2016 02:37 AM
Source zone would be the zone which you assigned to tunnel interface for GP users. You can also check logs and see ehich zone is assigned to GP users.
12-07-2016 11:24 PM
You can use GP users or groups in FW policy.
12-08-2016 05:43 AM
The security policy with a specified source user would work perfectly fine, just make sure that you have the source zone setup correctly then setup the rule to only allow access to the machines and the ports that they would need access to.
12-08-2016 06:04 PM
Hi,
In addition to specifying users or groups in your security rules, you could configure different IP address pools for different types of users (if you have PanOS 7.0+). This way, your staff can configure their servers or other equipment to let VPN connections coming from the staff pool, and not from the support organisation address pool.
Benjamin
12-11-2016 06:12 PM
@BPry wrote:The security policy with a specified source user would work perfectly fine, just make sure that you have the source zone setup correctly then setup the rule to only allow access to the machines and the ports that they would need access to.
hi.
OK, so the source zone would be the zone the VPN terminates on (outside zone), or the one it spits out into?
I'm figuring the former, but I could be shooting in the dark.
thanks
12-11-2016 06:13 PM
@baudy wrote:Hi,
In addition to specifying users or groups in your security rules, you could configure different IP address pools for different types of users (if you have PanOS 7.0+). This way, your staff can configure their servers or other equipment to let VPN connections coming from the staff pool, and not from the support organisation address pool.
Benjamin
hi.
Haven't upgraded to PanOS 7 yet, so this one's not going to work.
Thanks for suggesting, though.
12-12-2016 02:37 AM
Source zone would be the zone which you assigned to tunnel interface for GP users. You can also check logs and see ehich zone is assigned to GP users.
12-12-2016 06:48 PM - edited 12-12-2016 06:50 PM
@santonic wrote:Source zone would be the zone which you assigned to tunnel interface for GP users. You can also check logs and see ehich zone is assigned to GP users.
Thanks - looks like I'm out of luck - because the source zone and destination zone are the same. I might have to fiddle with moving the server into a different zone maybe.
No, scratch that - I'm an idiot.
I put in a rule to allow traffic to the given server - but forgot to put in one to deny everything else!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
