11-23-2022 07:38 AM
Hi,
we currently have global protect integrated with Azure MFA using SAML and it works flawless.
https://learn.microsoft.com/en-us/azure/active-directory/saas-apps/palo-alto-networks-globalprotect-...
Now, we would like to offer a different IP Pool depending on the user account. when I check in the MONITOR for connections using that VPN gateway, I see the different corporate email addresses in the SOURCE USER column. this email address is the one used to make the authentication via Azure MFA.
At this point, my approach was to create a new Agent-->client setting in the gateway portal . In the 'Config Selection Criteria' I included my corporate email addreass as SOURCE USER. No errors were shown so I clicked OK and commit. I also included a different IP pool range to filter conenctions later on with dedicated policies.
Surprisingly, afte the change was applied and I reconnect, I still get an IP address from the old IP pool, the one with 'any' on its client settings. it seems like my user name did not match for some reason. (see attachement)
we have a PA-850 running version 10.1.3
thanks
