Allow Global protect users based on different country for user groups
8879
Created On 07/17/22 16:53 PM - Last Modified 03/14/23 02:29 AM
Objective
- Allow Executive users to connect to Global protect from any country
- Allow all other users to be limited to a specific country (Example -Australia)
Environment
- PaloAlto Firewall.
- Supported PAN-OS.
- GlobalProtect Portal.
Procedure
Prerequisites:
- Preconfigure user groups for executives and other users,
- in the example, LDAP is used for authentication. User groups "executives" and "gp-users" are preconfigured in the Active directory and group mappings are configured in Paloalto Firewall.
- Login to GUI of PaloAlto
- GUI: Device > Authentication profile > New > create a profile, here Authentication profile with the type LDAP is created and all users are selected.
- Create Agent config for "executive" group and select country as any
- GUI: Network > GlobalProtect > Portal > edit Portal profile > Agent > Config Selection Criteria > "Under User/User Group" select the "executive" group.
- In the External tab > add Public IP > Select Source Region as "any"
- Create Agent config for "gp-users" group and select country as any
- GUI: Network > GlobalProtect > Portal > edit Portal profile > Agent > Config Selection Criteria > "Under User/User Group" select the "gp-users" group.
- In the External tab > add Public IP > Select Source Region as "Australia" (AU)
- Move Agent config for executives to the top of the order by using the Move up button
- Click "OK" and commit the configuration
Note: Gateway configuration is the same as a regular Global Protect setup.