- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
03-15-2023 08:20 AM - edited 03-15-2023 08:52 AM
We have several Palo alto firewalls in production now. We currently have client vpn going to Cisco ASAs. We are looking to move the VPN to the Palo Alto. I have been able to get a single vpn profile working. Before we can move to the Palo Alto, i need to figure out how to get the Global protect vpn working similar to the ASA anyconnect vpns.
On the ASA we have two profiles that allow our users to connect. A user can connect to either profile. Users can only connect to one of the profiles if they are using a domain joined computer. this check is done with Azure Saml login. A user can log in at https://ourrouter/vpn1 or https://ourrouter/vpn2. If the user has a domain joined computer they will be allowed to log in to vpn1 and they will have full access to our network. If the users chooses to log in to vpn2 or does not have a domain joined computer, once they log in, the computer has only RDP and DNS access to devices on our network.
We also have a vendor vpn at https://ourrouter/vendor. We have a couple of AD groups for the vendors. If an acccount is a member of vendor1 group, they get allowed access to a couple of devices based on ACL. if the vendor is in vendor2group they get another ACL. we can add more vendor groups and add an acl for each of those groups.
How would we go about creating a similar configuration on the Palo Alto?
03-15-2023 08:23 PM
Hi @Mlhras0 ,
You can create 3 portals and gateways on your NGFW as long as you have 3 public IP addresses attached to 3 interfaces. They can be loopbacks.
You can control access through the security policy:
Since the separation is done in the security policy you could combine gateways 1 and 2. You could even combine all 3 into 1 portal and gateway, but that would require extra configuration.
Thanks,
Tom
03-15-2023 08:23 PM
Hi @Mlhras0 ,
You can create 3 portals and gateways on your NGFW as long as you have 3 public IP addresses attached to 3 interfaces. They can be loopbacks.
You can control access through the security policy:
Since the separation is done in the security policy you could combine gateways 1 and 2. You could even combine all 3 into 1 portal and gateway, but that would require extra configuration.
Thanks,
Tom
03-16-2023 02:03 PM
Thanks, @Mlhras0 !
I forgot to mention that HIP Profiles require a GP license.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!