09-16-2021 07:02 PM - edited 09-16-2021 07:06 PM
Hi @Dereje ,
What you are describing is a very standard way of doing things with Cisco AnyConnect. Because GlobalProtect (GP) users are automatically added to User-ID (the NGFW knows their name and IP at login), the firewall rules do not have to permit or deny users based on the IP pool. You can replace the IP pools in the firewall rules with user groups. In that way, if a user is a member of multiple groups, they will match multiple rules and have all the access they need without having to select (or change) a profile. The only piece you need to add (if you haven't done so already) is group mapping via LDAP or the Cloud Identity Engine (PAN-OS 10.1). For group mapping, make sure you configure the Primary Username under User Attributes because it will standardize the format of users so that it is consistent across multiple User-ID sources.
You can assign separate IP pools based upon groups under the GP gateway > Agent > Client Settings, but I do not know how users can select their own "profile."
Thanks,
Tom
