Separate IP pool config for two departments when connecting to global protect

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Separate IP pool config for two departments when connecting to global protect

L0 Member

 Is it possible to assign two different IP pools for two departments on one gateway, when the users connect to Global Protect VPN.?

Note: We don't have On-Prem ldap server to config User identification & group-mapping on firewall. We are using Azure AD. The client authentication is happening via SAML auth.

6 REPLIES 6

L6 Presenter

You can use Config Selection Criteria under the Gateway Agent configuration to select a different Gateway profile with a different IP pool, based on user. But I am not sure if you can extend that to groups... so it may be a bit of a management headache to do per user.

 

Alternatively, you could create another gateway and then send the first department to the first gateway and the second department to the second gateway via the Portal Agent configuration. That allows Config Selection Criteria based on user and/or user group. But you would need the PA integrated with your AD to be able to poll the user's group.

Cyber Elite
Cyber Elite

Hi @HCLCNNSecurity ,

 

The easiest way to accomplish what you want is to use the Config Selection Criteria under the Network > GlobalProtect > Gateways > Agent > Client Settings as @Adrian_Jensen mentioned.  It does support groups, but only LDAP, and you were clear that you did not have LDAP, only SAML.  If you want it working today, you can add each user to your 2 Client Settings (1 for each subnet).  If you don't have that many users, it shouldn't take too long.

 

I have to ask the question, "What do you want to use the separate IP pools for?"  If it is for the security policy, may I suggest configuring the users there instead?  That would save the step of configuring the gateway.

 

Another thing you could try is to create 2 Dynamic User Groups for each department.  You could manually assign the users the tags under Objects > Log Forwarding > Add > Log Type = auth > Filters.  The tags would match the DUGs.  You could then use the DUGs in the security policy, gateway client setting, or both.

 

I know!  This could be a lot of work!  The best solution would be group mapping to support SAML as many customers are moving to Azure AD.  Another alternative if you want to query Azure AD via LDAP is to purchase Azure AD Domain Services or perhaps build a DC with Azure AD Connect.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

Hi Tom,

 

One of the departments is using an application which require directional policy connection like from Trust Zone to GlobalProtect Zone & vice-versa. So, we don't want to allow the traffic from Trust to Global protect for all departments. It's better to allow this for that One department only.

Cyber Elite
Cyber Elite

Hi @HCLCNNSecurity ,

 

Very cool.  So you could do it through separate IP addresses or just put the users in the security policy.  I wonder if Cloud Identity Engine would be able to get your Azure AD groups?  https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-new-features/identity-features/cloud-identity-e...  I haven't used it yet.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

L1 Bithead

Hi @HCLCNNSecurity - Just curious, what did you end up doing to accomplish this task?  I am having a similar issue.  I am using SAML and I have an "any" user config which works fine.  But I am trying to add a more restrictive config above that one, which contains specific users or groups, and cannot get it to work. I see that Security Policy might be the way to go according to Tom...

L1 Bithead

Hi... Yes with SAML you can (or must) go via Idendity Engine. We build it in our company that way. You get the Assigned Groups then via CIE...

  • 4162 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!