Friday, February 24, 2017

Palo Alto Networks - GlobalProtect - Part II

This post is a continuation of my last post. In the previous scenario, users had the requirement of taking corporate assets (i.e. laptops, etc.) off-network, but management required that the same security posture be enforced that is implemented on-network. In this scenario, we will build off of the previous configuration to enforce different levels of access to corporate resources based on user group membership.

Note: This post assumes that you have already completed the steps listed in my previous post.
  • Navigate to Device -> Local User Database -> Users -> Add
    • Enter a Name and Password
    • Click OK
      • Repeat this a couple of times so that you have more than one account to test with.

  • Navigate to Device -> Local User Database -> User Groups -> Add
    • Enter a Name
    • Add a User
      • Repeat this a couple of times so that you have more than one group to test with.

  • Navigate to Network -> GlobalProtect -> Portal
    • Select the existing portal and navigate to the Agent tab
    • Change the Name of the existing Config to match the name of a Local User Group you created previously (in our case unrestricted)
    • Navigate to the User/User Group tab and add the User/User Group that matches the Config name
      • Note: You will have to manually type this in. If we were using AD groups, then all available groups would populate automatically in the drop-down.
    • Click OK
    • Add a new Config and give it a name to match the name of a Local User Group you created previously (in our case restricted)
    • Navigate to the User/User Group tab and add the User/User Group that matches the Config name
    • Navigate to the Gateways tab, and add your External Gateway
      • Note: It will be the same as the other Config
    • Navigate to the App tab and change the following parameters
      • Allow User to Disable GlobalProtect App - Allow with Passcode
        • This makes it so that the user cannot disable the VPN without a passcode. Be sure to define a passcode under the Disable GlobalProtect App section.
      • Enforce GlobalProtect Connection for Network Access - Yes
        • If a user becomes disconnected for whatever reason, all network access (local and remote) is disabled.
    • Click OK
    • You should now see two Agent configurations
  • Navigate to Policies -> Security
    • Create some policies to test access for each test user
  • Commit the configuration and test
Upon testing, you will find that each user experience with the client is different based on group membership. You will also find that the agent behavior changes based on group membership.

No comments:

Post a Comment