Is it possible to share which Globalprotect VPN address was assigned to which user/real client ip address to other systems?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Is it possible to share which Globalprotect VPN address was assigned to which user/real client ip address to other systems?

L3 Networker

Hello to All,

 

 

I am interested if Palo Alto is used as the Globalprotect VPN solution but after it there are other systems that may benefit from user group policies, howcan this be done?

 

The issue is that the after the VPN the customer will be seen with the VPN ip address and not the original ip address, so I don't think that the Active directory can be used for resolving the ip to user mapping. I also don't think that Globalprotect provides/writes the VPN assigned IP address in the Active Directory during LDAP/Radius authentication process of the client to the VPN but maybe I wrong about this?

 

 

The option for the AD to assign the VPN address to Globalprotect seems nice but for 10000 of users it does not seem feasuble to assign a static ip address to each user in the Windows AD and I did not find if you can configure the AD to not use a static ip address but a pool of addresses and then write which ip address it provided to the Globalprotect for VPN assignment.

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000008UkxCAE&lang=en_US%E2%80%A...

 

 

The other thing I thought is to export the Globalprotect logs to a syslog server and from there to get which VPN address was provided to which user or real client ip address (mapping between the VPN address and the real client Ip address).

1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite

Hello,

It will not do this with Microsoft AD. As you already mentioned, best way is to have the PAN send logs to a SIEM.

 

Regards,

View solution in original post

4 REPLIES 4

L7 Applicator

Our users regularly connect to GP VPN and then back onto the LAN.  the user-id agent is updated with both the users LAN and the users GP  address so there is no issue for us as you can have several addresses assigned to any one user. 

Perhaps you are setup in a different way or maybe i have not understood your question correctly.

Yup this is not my question. My question was how can Palo Alto share the user to VPN ip address mapping to other systems not a specific question about internal configuration. I think that I have written it well that Palo Alto works good as a VPN solution but the systems (that are not Palo Alto) after it may need a way to work with users and groups but the Ip address is no longer real client Ip addres but the VPN address.

 

 

Does Palo Alto in some way inform the Microsoft AD server (and does the AD server write this information) about what is the assigned VPN IP address to the client during the client authentication to the globalprotect agent(for example LDAP is used as auth profile, so the firewall checks with the Microsoft AD)?

Cyber Elite
Cyber Elite

Hello,

It will not do this with Microsoft AD. As you already mentioned, best way is to have the PAN send logs to a SIEM.

 

Regards,

From your reply I think that there is no way for the Palo Alto to send this info to the Microsoft AD and for the Microsoft AD to record this and also I did not find Microsoft to have added feature similar to providing a Static Ip address for the VPN to use (Framed-IP-Address attribute) but using a VPN pool on the Microsoft AD.

 

 

Thanks for confirming this.

  • 1 accepted solution
  • 3901 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!