Hi All, We are using GlobalProtect for VPN connection to our internal network along with an on-prem PA Firewall. We want to be able to block traffic from regions we wouldn't normally do business in, but occasionally have the ability to make a USER-BASED exception to the block so that if USER A is traveling abroad to China, we can allow USER A to connect to GlobalProtect from China while maintaining a block on all other traffic from China. I thought this would be as simple as setting a rule above our GeoLocation block allowing traffic for USER A from Source China with Destination application being GlobalProtect. Unfortunately that rule doesn't work and my understanding from discussing with TAC is that this is because the user is not able to authenticate to the Firewall prior to being blocked by the GeoLocation rule (essentially the allowance has no way of knowing USER A is USER A before he connects through GlobalProtect, and USER A can't connect through GlobalProtect because the GelLocation block prevents him). We've been going back and forth with TAC as well as an SE, but as yet do not have a solution. I can't imagine this is an uncommon scenario, so wondering what others may have done to address this. We have been able to bypass the GeoBlock by putting in an IP Based allowance, but this is problematic as the IP changes frequently. Anyone else had this scenario and found a way to resolve?
... View more