VSYS with Shared Gateway and Existing Global Protect

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

VSYS with Shared Gateway and Existing Global Protect

L3 Networker

We have a 3050 with one VSYS and is connected to an ISP with one IP address as we also use this VSYS for user VPN (Global Protect). All is working fine but we will be adding another VSYS to segregate another department’s Internet traffic. I would like both VSYS to share the same Internet and IP but I’m concerned if I read correctly about our existing Global Protect VPN configuration and the Shared Gateway being a problem.

 

I appreciate any help or insight.

Jeff

Passionate about network infrastructure and all things Palo Alto Networks.
1 accepted solution

Accepted Solutions

L3 Networker

Jeff,

 

You are correct that there can only be one VPN Profile/Gateway per IP (I believe it is just the gateway side).

I am not an expert at making VSYS interact with eachother properly but from what you are describing (and having a 3050) it may make more sense to put the GP on its own VSYS and setup multiple profiles within both the GP Profile & Gateway to force different departments to different traffic (we use Group Policy for allowing VPN access).  The bottom line with GP is that you allow access to connect but it is the security rules that allow access to different components so using the same VPN but different AD groups with security rules and GP Profile/Gateway rules will allow you to limit both what IPs are displayed and what they are allowed to access.

 

Brian

View solution in original post

2 REPLIES 2

L3 Networker

Bumping for any help.

Thank you.

Jeff

Passionate about network infrastructure and all things Palo Alto Networks.

L3 Networker

Jeff,

 

You are correct that there can only be one VPN Profile/Gateway per IP (I believe it is just the gateway side).

I am not an expert at making VSYS interact with eachother properly but from what you are describing (and having a 3050) it may make more sense to put the GP on its own VSYS and setup multiple profiles within both the GP Profile & Gateway to force different departments to different traffic (we use Group Policy for allowing VPN access).  The bottom line with GP is that you allow access to connect but it is the security rules that allow access to different components so using the same VPN but different AD groups with security rules and GP Profile/Gateway rules will allow you to limit both what IPs are displayed and what they are allowed to access.

 

Brian

  • 1 accepted solution
  • 2593 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!