Endpoint Tunnel Configurations Based on Source Region or IP Address

You can now deploy tunnel configurations for multiple user locations (internal, external, and specific source regions) from a single GlobalProtect gateway.
Software Support
: PAN-OS® 9.0 and later releases
You can now deploy tunnel configurations for multiple user locations (internal, external, and specific source regions) from a single GlobalProtect gateway. This enhancement simplifies gateway deployment and management by enabling users to connect to the same gateway from different locations. Based on the location from which they are connecting, users receive the associated tunnel configuration with specific authentication override, IP pool, split tunnel, and DNS settings. For example, you may need to provide secure network access for both branch office users and roaming mobile users through GlobalProtect. With this feature, you can configure a GlobalProtect gateway to allow traffic for local subnet access (for example, local network printing) to bypass the VPN tunnel when end users connect from a branch office but require all traffic to route through the VPN tunnel for inspection and policy enforcement when users connect remotely from an unknown or untrusted network (such as a coffee shop or library).
Use the following steps to configure a GlobalProtect gateway with location-based tunnel configurations:
  1. If you want to configure the gateway to support tunnel configurations for both internal and external users, you must configure the tunnel parameters. This ensures that all user traffic for this gateway (including internal user traffic) goes through the VPN tunnel for inspection and policy enforcement.
    add-tunnel-interface.png
  2. Specify the config selection criteria (including the user location) for your client settings configuration.
    The config selection criteria indicates the criteria that users must match against when connecting to a GlobalProtect gateway. If a user matches all specified criteria (
    Source User
    ,
    OS
    , and
    Source Address
    ), the gateway deploys this client settings configuration to the user.
    config-selection-critiera-ip-address.png
  3. Save the gateway configuration.
    Click
    OK
    twice.
  4. (
    Optional
    ) Repeat steps 3-5 to configure additional client settings configurations for different user locations.
  5. If you configure a GlobalProtect gateway to support tunnel configurations for both internal and external users, you must configure the following options in the portal agent configuration:

Recommended For You