In my previous article, "GlobalProtect: Expanded Setup," we covered the expanded setup of GlobalProtect, which included multiple authentication types, as well as the creation of an internal gateway.
In this post, we are going to modify security policy matching based on user identity and device context provided via the GlobalProtect app. We will also enable notifications to the end user based on compliance of the endpoint. You can see a diagram of the environment here.
The value in leveraging user identity and device context in security policy along with end user notifications allow for greater visibility as well as more granular control over what users can access. This same methodology is applicable regardless of user location, and best practices dictate that they should be leveraged wherever possible. If a user is outside of what is required in order to access resources, they can be notified or mapped to a different rule to provide the minimum level of access required in order to become compliant.
NOTE: This article assumes that you have already followed the previous articles in this series.
You should also be able to see rule matches via the Traffic logs.
In my next article, "GlobalProtect: Authentication Policy with MFA," we will configure authentication policy with MFA for both HTTP and non-HTTP access to sensitive resources.