01-26-2023 11:15 AM
I am not familiar with Cisco Anyconnect (I have used Cisco ASA a tiny bit for site-to-site and user VPNs, but never did any user side config), but from your description I believe you are right. The GP Portal sets all the user side restrictions and options. There are a couple user configuration options through the GP Gateway (user VPN IP address, split tunnel networks, etc), but everything else comes from the GP Portal.
The basic config options for the user can be found under:
Network -> GlobalProtect -> Portals -> [portal_config] -> Agent -> [agent_config] ->
App - GP client settings including VPN mode (on-demand/always-on), Portal config lifetime, password policies, user bypass options, etc.
External - GP Gateways the client will connect to with preference/geolocation options
Internal - Internal network VPN bypass and internal gateways for HIP data collection
Network -> GlobalProtect -> Gateways -> [gateway_config] -> Agent -> Client Settings -> [client_config] ->
Authentication Override - whether to accept/generate cookies for overriding user authentication for Portal/Gateway login
IP Pools - IP subnet to allocate client VPN IPs from
Split Tunnel - Networks/domains to always split-tunnel and exclude from forcing through the VPN
Network -> GlobalProtect -> Gateways -> [gateway_config] -> Agent
-> Network Services - client DNS servers
Network -> GlobalProtect -> Gateways -> [gateway_config] -> Agent
-> Connection Settings - GP Gateway connection lifetime
