11-13-2019 05:01 AM
hey,
i have a requirement from a customer for some users to always have the same ip when they connect to the VPN for example if the IP Pool for the GP clients is: 192.168.x.110 where x will be 10-15 depends on which GP GW you are connected to.
i have managed to configure using specific client settings for example for user A ip pool is 192.168.10.10-192.168.10.10 the problem with this is that the client use split tunnel, and if i follow this road i will need to configure all those access routes on each client settings meaning, for adding 1 network on my lan i will need to configure it on each GP GW and on each client settings can be reached up to 100 changes for 1 network subnet.
i have seen the registry key for the reserved ip address but what happen if the user connect to the PA on another site in which this ip is not relevant.
i have also seen the "retrieve framed ip address attribute from authentication server" but cannot find documentation on how it works. i think it might be a solution. clients authenticating with SAML with the GP GW, so if the framed ip will be list of addresses and each GP GW will choose the i according to the "authentication server ip pool"
thanks
11-13-2019 10:19 AM
Hello there
A quick google search show that Framed IP address comes from Radius Authentication, and the auth server responding with the IP/
You are right, the Framed-IP-Address attributes are designed to give a fixed IP Address to an user.
Basically you have two methods to give a fixed IP address to an user.
1. You can configure the Framed-IP-Address in the Network policy in NPS.
2. You can assign the static(Fixed) IP address in the dail-in property of the user in the AD from the Active directory users and computers UI.
11-13-2019 03:05 PM
Hello,
Just curious as to why they need the same IP address each time? Perhaps there is another method to achieve what you are looking for?
If you have specific policies for them, you can use user-id instead and then it doesnt matter what IP they get.
Regards,
02-10-2020 03:47 AM
If you are using VPN server then you need a correct proper static ip. the relevant bandwidth router will help you to get a smooth connectivity. you can setup the router by help of linksys e1200 setup .
your static ip of your router and connection should be match otherwise there will be difficulty to set up a router. by any reason you have to check the secure server.
05-02-2020 09:46 AM
Hey Steve,
Can you link any documentation about how and where can i configure the first option? I mean this one:
1. You can configure the Framed-IP-Address in the Network policy in NPS.
Best Regards,
Gyula
05-04-2020 06:53 AM
Does this help you out a little?
https://webframes.org/framed-ip-address-nps/
05-20-2020 01:46 AM
Hey,
he need the same IP for some admin users, since the IP is open for access via some ACL according to their IP address.
the customer is using saml, can we forward this information from Azure if we use saml authentication ?
03-04-2021 01:50 PM
In case anyone wants more info about this, a Blog has been written about this subject here:
https://live.paloaltonetworks.com/t5/blogs/dotw-globalprotect-and-static-ip/ba-p/363051
Please be sure to check it out.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
