- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
07-21-2025 09:49 AM
Hi All,
I have a unique scenario. We have a PA VM Firewall in Azure. We use Azure VPN Gateway to allow users to VPN in if need be (mainly 3rd party support) to get to services on the other side of the FW. The user's credentials authenticate against AzureAD using MFA. I need to know if there is a way to implement UserID, or something similar, that will allow me to set specific policies on which user or group of users has VPNed in using the groups they are in AzureAD.
The user accounts are also replicated to on-prem AD, so I don't know if that helps with a solution.
Thanks
07-25-2025 06:18 AM
Hi JPope,
There is no native support for you scenario. Since you are authenticating via the Azure VPN gateway using Azure Point to site , only azure knows the user to ip mapping and palo is not aware of this. I don't know you Azure landscape but i am assuming you have deployed a hub and spoke topology inside Azure and your palo is inside the HUB. You could deploy a global protect gateway on your palo alto in Azure and user an Azure Application Gateway or External Loadbalancer to publish the global protect portal/gateway out to the internet.
And then let you remote user use global protect then you will have all the info you need, of course this would require a redesign of your topology.
Another approach is somehow getting the S2SVPN Logs forwarded to your palo alto firewall. The theortical approach would then be don't see any reason why it won't work but i will take time and effort.
Azure VPN Gateway
↓ enable (Diagnostic logs)
Log Analytics Workspace
↓ (queried by Azure Function)
Azure Function (Python)
↓
Palo Alto Firewall (User-ID XML API)
But in short no easy way of doing this.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!