Showing results for 
Show  only  | Search instead for 
Did you mean: 

Who rated this post

Cyber Elite
Cyber Elite

Hi @Dereje ,


What you are describing is a very standard way of doing things with Cisco AnyConnect.  Because GlobalProtect (GP) users are automatically added to User-ID (the NGFW knows their name and IP at login), the firewall rules do not have to permit or deny users based on the IP pool.  You can replace the IP pools in the firewall rules with user groups.  In that way, if a user is a member of multiple groups, they will match multiple rules and have all the access they need without having to select (or change) a profile.  The only piece you need to add (if you haven't done so already) is group mapping via LDAP or the Cloud Identity Engine (PAN-OS 10.1).  For group mapping, make sure you configure the Primary Username under User Attributes because it will standardize the format of users so that it is consistent across multiple User-ID sources.


You can assign separate IP pools based upon groups under the GP gateway > Agent > Client Settings, but I do not know how users can select their own "profile."





Help the community: Like helpful comments and mark solutions.

View solution in original post

Who rated this post