How to configure a global protect so that they user choose which VPN profile/group to connect?

cancel
Showing results for 
Search instead for 
Did you mean: 

How to configure a global protect so that they user choose which VPN profile/group to connect?

L0 Member

As part of migrating from AnyConnect VPN to Global Protect remote access VPN: -

Use Case:

We are using Azure AD for authentication and the GlobalProtect authentication profile is configured to use Azure AD for SSO authentication;

We want remote users to use GlobalProtect remote access VPN to access enterprise data center resources;

A GlobalProtect Portal and GlobalProtect Gateway is configured on a pair of PA5260 firewalls in HA;

Each Active Directory user group has its own VPN profile, where each VPN profile has its own assigned IP pool;

When members of the group connect to the VPN, they should be getting IP addresses only from the ranges assigned to the pool;

We have users that are a member of multiple Active Directory groups (which means a user can be a member of multiple VPN profiles);

When a user connects to different VPN profile, the user should get IP address from the designated pool;

 

We want to accomplish:

The firewall rules on the data center firewalls are set up to permit or deny users based on the IP pool assigned to the VPN profiles (basically based on the group in Active Directory).

In the GlobalProtect configuration, how do we make users choose which VPN profile/Group to associate while they are establishing VPN connection?

I might not explaining the problem very well here, but please let me know if you have any question.

 

Thank you

1 ACCEPTED SOLUTION

Accepted Solutions

L3 Networker

Hi @Dereje ,

 

What you are describing is a very standard way of doing things with Cisco AnyConnect.  Because GlobalProtect (GP) users are automatically added to User-ID (the NGFW knows their name and IP at login), the firewall rules do not have to permit or deny users based on the IP pool.  You can replace the IP pools in the firewall rules with user groups.  In that way, if a user is a member of multiple groups, they will match multiple rules and have all the access they need without having to select (or change) a profile.  The only piece you need to add (if you haven't done so already) is group mapping via LDAP or the Cloud Identity Engine (PAN-OS 10.1).  For group mapping, make sure you configure the Primary Username under User Attributes because it will standardize the format of users so that it is consistent across multiple User-ID sources.

 

You can assign separate IP pools based upon groups under the GP gateway > Agent > Client Settings, but I do not know how users can select their own "profile."

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

View solution in original post

1 REPLY 1

L3 Networker

Hi @Dereje ,

 

What you are describing is a very standard way of doing things with Cisco AnyConnect.  Because GlobalProtect (GP) users are automatically added to User-ID (the NGFW knows their name and IP at login), the firewall rules do not have to permit or deny users based on the IP pool.  You can replace the IP pools in the firewall rules with user groups.  In that way, if a user is a member of multiple groups, they will match multiple rules and have all the access they need without having to select (or change) a profile.  The only piece you need to add (if you haven't done so already) is group mapping via LDAP or the Cloud Identity Engine (PAN-OS 10.1).  For group mapping, make sure you configure the Primary Username under User Attributes because it will standardize the format of users so that it is consistent across multiple User-ID sources.

 

You can assign separate IP pools based upon groups under the GP gateway > Agent > Client Settings, but I do not know how users can select their own "profile."

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

View solution in original post

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!