Is there a way to assign a static IP to a global protect user? I have a couple security policies that specify userids in the source, but the policies are not getting picked up. They are dropping to the default deny. I verified that the userid shown on the traffic monitor matches the rule, but it is not working. I was thinking that if I 'assigned' an IP to them when they connected via Global Protect I can write the rule using their source IP.
I'd personally be looking at fixing the user-id policy issue. If the logs are showing the user properly than outside of a bug something else in your policy is causing it to not match properly.
As for a static assignment there is actually two ways to do this:
Personally, I would recommend going the Framed-IP-Address method if you are looking for static IP assignments. It's easier to maintain and you don't need to be monkeying around with the registry on every machine the user possibly uses, you just assign the machine object or the user a dial-in static address and be done with it.
It's impossible to protect an environment unless you know where users will and will not require access to. I'm a strong believer in the concept of least authority. This means that I'll only provide access to the areas that are absolutely necessary. If they do not need it now , but they might need it in the future then give it in the future. Allowing access to more users than completely necessary will expose you up to security risks which are best left secure.
In addition, using a specific zone only for VPN users is beneficial as well. While you can utilize an existing zone and subnet creating VPN users in their own subnet and zone is a way to make the security and security of users easier to manage and allows you to be more precise in your security.
My experience has observed that it's easier to use a subnet that is specifically designed for your users when setting up VPN access. Try to set up a subnet set up in an existing zone will be problematic at the very least.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!