09-22-2021 11:25 AM
GP on the fw is setup and working. I have a group of users i need to isolate from everyone else - most of the time.So if they use the url vpn1.mydomain.com they get IP Pool X and specific X policies. If they use url vpn2.mydomain.com they get IP Pool Y and specific Y policies.
It seems like i should be able to setup multiple portals and gateways on an interface but i want some confirmation before i start working with a production environment.
09-22-2021 11:56 AM
Hi @GFN182 ,
The straightforward solution is to use source user in the security policy to isolate the users without having to build multiple gateways. GP has User-ID built-in. I like keeping all of my security configuration in one place.
Thanks,
Tom
09-22-2021 12:15 PM
I would go with @TomYoung suggestion.
just one portal with one gateway, then the gateway can have many configs that can differentiate between users vi user-id and distribute ip as required.
or just have the same gateway for all and base your policies on user-id only.....
09-22-2021 12:24 PM
Unless the authentication needs to be different, you can definitely stick to one portal.
Each gateway can have multiple configurations based on user group membership so you can assign different subnets to each user group.
In addition you can reuse those user groups in security rules to limit which access each group gets
If they need to be able to choose when they take certain access, you can set up 2 gateways on the one portal and allow them to pick which one to connect to manually. You can then assign them one IP pool on one gateway and another on the second gateway, then set security rules that allow them access based on user group and source subnet
09-22-2021 12:26 PM
I’m not sure why you would want to do that... could you explain why as it may assist in finding another solutiom.
09-22-2021 12:32 PM - edited 09-22-2021 12:32 PM
Hi @GFN182 ,
Use groups in your security policy. You will need to configure group mapping, but with groups a single user can match multiple security policy rules. The user does not have to change gateways for different access rights.
Thanks,
Tom
09-22-2021 12:58 PM
Except i would belong to both groups
09-22-2021 01:30 PM
One portal, two gateways
GW1. Regular users and caseA access to production, IP poolA
GW2. CaseB access to cyber, IP pool B
Using two gateways allows manual selection to which environment to connect, security rules for user group and subnetA OR subnetB allow access to one or the other
For full segregation you could set up multiple virtual systems and host a gateway on each
09-22-2021 03:30 PM
Understood.
09-27-2021 07:21 AM
this sounds possible, i will give it a shot
01-28-2022 09:22 AM
I have different purpose (new certificate with different CN) to create a new/parallel portal&gateway (to keep the change transparent for end user/and to keep easy revert back possibilities in worst case), so when i try to create a new por+gw by adding new pub-IP on same internet interface, using new certificate, using new client iP pool range, i get below error while pushing the policy,
. SSLVPN: Invalid IPv4 pool value: xxxxxxxxxxxxxxxxxxx
. (Module: rasmgr)
. SSLVPN: failed to parse IP pool in tunnel xxxxxxxxxxx
. (Module: rasmgr)
. Parsing GlobalProtect gateway multi user configs failure
. (Module: rasmgr)
. Commit failed
I checked multiple times that there is no overlapping of client subnet that i am using, and subnet value is also perfect, its large enough, tried with /24, /22, but still not sure why its giving above error.
Is it possible to configure two portal/gateway on same interface but with two different pub IPs and different tunnel interface and different client IP ranges ?
01-28-2022 01:54 PM - edited 01-28-2022 01:57 PM
you can't use two ip's on the same interface. Use a loopback interface to achieve your goals.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
