01-24-2022 11:10 AM
Whatever you were looking at must have been older. If you wish to block the device from connecting you would simply add it under Device -> Device Quarantine, and at that point the device won't be able to connect to GlobalProtect anymore. https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-web-interface-help/device/device-device-quarant...
If you're looking to block an individual user, regardless of device, there's a few ways you can do so:
* Remove the user from the Gateway Agent configuration so they don't have a configuration to hand out. This would allow them to authenticate technically, but GlobalProtect won't connect as they don't have an assigned agent config.
* Remove the user from the AD groups (assuming active directory) that actually power authentication. So as an example you might have a Authorized-VPN-Users security group that is attached to the Authentication Profile in the Allow List, simply remove that user from the associated groups.
* Create a specific Agent configuration for this user, above all other configs in the list, that gives them a blocked IP Pool. Anyone assigned this agent config could be allocated an IP Pool that simply has a deny entry at the begining of your security rulebase as that while they'll be allowed to "connect", they can't process any network traffic.
* Setup a deny rule and just target their User-ID entry as the source-user and deny all of the traffic from that User-ID coming across your GlobalProtect security zones.
Removing them from the authentication profile so they simply can't authenticate is the "correct" answer for this, but any of these will technically work perfectly fine.
