Advice on setting up VPN routes via GlobalProtect?

We’re switching over from using Cisco ASA to Palo Alto GP for our corporate work-from-home VPN solution and I’ve been tasked with getting things set up and migrated over. I’m completely new to Palo Alto, but so far it’s night and day compared to Cisco (in a good way). However I’m running into an issue that I can’t seem to figure out and I’m starting to wonder if it’s either a limitation of the system, my knowledge, or maybe I’m simply going about it the wrong way.

I’d like to set it up so that each gateway access route grants access to all the IPs required for a single app. This part is easy enough. But I’m not finding a way to grant access to multiple apps without setting up a gateway client setting config for every possible combination of apps that users may require. We’re currently granting access to various ranges/apps via inclusion in various Active Directory groups - no idea if that’s relevant, but I figured I’d include it.

Is there any way to do what I’m trying to do in the way I’m trying to do it? If not, am I going about this the wrong way? Any advice, pointers, or even “hey dumbass, you’re doing this all wrong” comments would be greatly appreciated.

Sounds like you’d be better off using a mix of user-id and security rules to limit access to the apps that way.

Good to hear your liking the changes it’s a great product!

Are you trying to allow Global Protect users access to certain ip ranges on the internal network?

To confirm are you using clientless vpn where you have certain applications set up or are you using GP client accessing servers with apps available?

What’s happening when trying to access the apps?

To add to what everyone else said, not having routes isn’t security. Most route based VPN clients will happily tunnel traffic stuffed at their virtual adapter, a malicious (or crafty) user that has local admin can simply add routes to the local routing table pointing at the PAN adapter to get traffic to the other end.

Do User-ID and write your polices as appropriate for traffic from the GP Zone towards the protected resources.

Might be a bit much to wrap your head around coming from Cisco, but once you get used to it you’ll wonder why you took so long to switch

[redacted due to Reddit’s proposed API changes, their stance on adult material, and spez’s blatant lies about 3rd party app creators]

One way to do this would be to full tunnel (all traffic) to the firewall and then allow the traffic via security rules instead which can be allowed by security groups in the source.

User-ID Docs

Security Policy Docs

Basically you would configure the firewall for User-ID, which pulls in the AD group information for the apps as you guys already have. Then in the security policy it would be something like:

  • Source IP: globalprotect range
  • Source Zone: globalprotect zone
  • Source User: AD group
  • Destination Zone: app’s zone
  • Destination IP: app’s IP

I haven’t seen many people doing filtering by not allowing certain routes to clients, but it is certainly possible. However as you are finding it’s not really feasible long term for management. At my current company, for example, I don’t really care what routes I send to you (so I just say send 10.0.0.0/8 over the VPN), then all the filtering happens in security policy.

Hope this helps!

Use exactly the method that /u/wrwarwick suggested. Leverage your security policies to do this.

/u/wrwarwick couldn’t explain that better. Definitely the cleanest and easy to understand setup.

I fairly new to PA as well (6 months) and when I migrated our firewall from pfSense to PA I was “concern” about advertising all the routes the our employees regardless of their department.

1-) Use one GW for employees. You can just fill tunnel and go with 0.0.0.0/0, or list all your subnets in there (in case you don’t want to tunnel internet traffic).

2-) On AD map users to a group that matches their department (you probably have this already).

3-) Even though all your employees will be advertised with all the routes, that doesn’t mean they will have access to them. Levering User-ID allow access to your apps based on the department the employee is member of.

4-) For vendors and other external users you can setup a separate GP Gateway. In this new GW you don’t need to advertise all the routes. Be more selective here, and tailor security policies after.

Regards,

JF