- Get Started
- News & Events
- Collaboration
- Education Services
- Technologies
- Next-Generation Firewall
- GlobalProtect
- Threat Prevention Services
- Endpoint Protection
- SSL Decryption
- App-ID
- Content-ID
- User-ID
- 5G
- IoT Security
- Cloud Identity Engine
- Panorama
- AIOps for NGFW
Network Security
- Prisma Access
- Prisma Cloud
- Prisma SD-WAN
- Cloud NGFW for AWS
- CN-Series
- VM-Series:
- Private Cloud
- OCI
- Alibaba
- AWS
- GCP
- Azure
Cloud Security
- Cortex XDR
- Cortex XSOAR
- Cortex Data Lake
- Cortex Xpanse
Security Operations
- Resources
- COVID-19 Response Center
VPN CLIENT GLOBAL PROTECT, MANAGED WITH LDAP GROUPS
- LIVEcommunity
- Collaboration
- Discussions
- General Topics
- VPN CLIENT GLOBAL PROTECT, MANAGED WITH LDAP GROUPS
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Printer Friendly Page
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
04-08-2019 05:11 AM - edited 04-08-2019 06:41 AM
Hello, I have a problem.
I just inherited a palo alto firewall.
I noticed that given a specific certificate and given the global protect client, every user of the ldap server can connect to the vpn.
I would like that only users in specific ldap groups could enter.
Let's say the groups come from active directory.
"domain"\user_group_allowed
"domain"\user_group_allowed_limited
how can I do that?
right now everyone on "domain" can open a vpn tunnel.
Could it be that what I'm looking for is under:
Device > Authentication Profile > Advanced > Allow list
and that I should Add the ldap groups there instead of "All" ?
Kindest Regards
Accepted Solutions
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
04-08-2019 07:24 AM - edited 04-09-2019 12:53 AM
should I select the portal
then click agent
then click the config
then under user user groups add the two ldap groups?
yes you can do that, or you can add config-1 and add group1
then add config-2 and add group2
i do a seperate config most of the time as i also use this to direct different groups to different gateways.
you can also use this to give users different portal configs.
so group-1 (std users) could have the portal nailed down
group-2 (admin users) could have the portal unrestricted and an extra couple of gateways....
if yours is just for network access restrictions then just use the same portal config.
perhaps if you explain what the difference is between groups then i could advise further but please note @BPry 's comments.
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
04-24-2019 04:47 AM
And.......
make sure you have the domain name in the certificate profile "user domain" field.
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
06-24-2021 11:38 AM
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
04-08-2019 05:27 AM
firstly, configure device\server profile\ldap with the required permissions
then, configure device\user identification\group mapping settings.
here you can add the groups that you want to use.
then, network\portals and in the agent\configs you can add the 2 groups, one to each config.
this will allow users in both groups to use the VPN but you can then add security policies for each group to either restrict or allow access to the network.
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
04-08-2019 05:33 AM
Since you're saying that you just encountered the environment I would hold off on any access changes until you get a solid understanding of why it was configured in the way it was. Often in a new environment I see a lot of engineers make "big" changes as far as end-users are concerned, and that can be a massive turnoff from your users.
Find out what the users are connecting to and why. It could be that you simply need to utilizes Agent Configs on your gateway to seperate out the users in groups. One group might just get permission to remote into their computers, or potentially simply access email remotely; another group might rightfully need access to additional resources while working remotely.
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
04-08-2019 07:15 AM
"then, configure device\user identification\group mapping settings.
here you can add the groups that you want to use."
Thank you very much.
How can I "then, network\portals and in the agent\configs you can add the 2 groups, one to each config."
should I select the portal
then click agent
then click the config
then under user user groups add the two ldap groups?
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
04-08-2019 07:24 AM - edited 04-09-2019 12:53 AM
should I select the portal
then click agent
then click the config
then under user user groups add the two ldap groups?
yes you can do that, or you can add config-1 and add group1
then add config-2 and add group2
i do a seperate config most of the time as i also use this to direct different groups to different gateways.
you can also use this to give users different portal configs.
so group-1 (std users) could have the portal nailed down
group-2 (admin users) could have the portal unrestricted and an extra couple of gateways....
if yours is just for network access restrictions then just use the same portal config.
perhaps if you explain what the difference is between groups then i could advise further but please note @BPry 's comments.
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
04-24-2019 01:31 AM
Hmm, I'm doing something wrong.
I get this message: "user is not authorized to connect to Global Protect Portal."
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
04-24-2019 01:45 AM
in monitor/system it will show the username that is denied.
then in cli, show user group list
then in cli , show user group name "one of the groups from above" to make sure that user is deffo in that group.
it may be domain info mising so add the following to the portal/agent/config/user/user group to test.
firstly add user on its own fred smith
then if that fails, try domain\fred smith
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
04-24-2019 02:19 AM - edited 04-24-2019 02:24 AM
A: ok firstly, configure device\server profile\ldap with the required permissions
B: that seems fine
A:then, configure device\user identification\group mapping settings.
b:I added to the group include list the group domain\allowed_full
A: here you can add the groups that you want to use.
A: then, network\portals and in the agent\configs you can add the 2 groups, one to each config.
B: network\portals and in the agent\configs user/user group i added the group domain\allowed_full
A: this will allow users in both groups to use the VPN but you can then add security policies for each group to either restrict or allow access to the network.
A:in monitor/system it will show the username that is denied.
then in cli, show user group list
then in cli , show user group name "one of the groups from above" to make sure that user is deffo in that group.
it may be domain info mising so add the following to the portal/agent/config/user/user group to test.
firstly add user on its own fred smith
then if that fails, try domain\fred smith
B: The user is in the group, the check in the cli confirmed it. but I'm still getting "You are not authorized to connect to GlobalProtect Portal.", I can see the error in the monitor/system and it says: GlobalProtect portal client configuration failed. Login from: my_ip, Source region: IT, User name: test.
If I roll back to my previous configuration, user Test can log just fine.
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
04-24-2019 02:33 AM
going back to the beginning...
could you confirm if you are still using certificate authentication.
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
04-24-2019 02:35 AM
yes I am.
- Doubt regarding fullbackups firewalls managed from PANORAMA in General Topics
- Panorama migration from M-100 to M-200 in Panorama Discussions
- Global Protect - frequent drops with SQL Server Management Studio....not with Windows VPN in GlobalProtect Discussions
- Log Forwarding in General Topics
- Palo Alto Template Revert error in Panorama Discussions
Show your appreciation!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
