Multiple GlobalProtect profiles based on LDAP groups

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Multiple GlobalProtect profiles based on LDAP groups

L0 Member

I have tried multiple searches, but can't seem to find the answer that I am looking for.  I am migrating from Cisco ASA firewalls to a PA-440.  The PA-440 is running PanOS 10.1.6-h6.  On the Cisco we have multiple VPN profiles.  Each profile has access to only specific networks and/or hosts.  When you initiate a VPN session, you select the session that you need (usually based on job function). We you are connected, you only have access to the systems that you need.


I have the PA-440 running mostly isolated.  The management interface is connected to the LAN.  I can connect a laptop to the WAN interface and connect to GlobalProtect using my domain credentials.  If can browse my AD groups in Device > User Identification > Group Mapping Settings, and add a group. 


When I go into the Network > GlobalProtect > Gateways > *mygateway* > Agent > *myagent* > Config Selection Critia and try to add the mapped group in the Source User block Global protect stops workings.  When I clock on Ok, it replaces the mapped group (domain\group) with the full LDAP bind string.


What am I missing?


L0 Member

I'm playing around while I am waiting for answers and I am beginning to think maybe security policies based on LDAP user groups is the way to go.  The only issue is I have a group that needs a different IP address then the rest of my users.  It looked like they way to go was to create a special Agent in a Gateway Configuration but when I do that based on defined group mapping (LDAP) the VPN client won't connect.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!