Endpoint Tunnel Configurations Based on Source Region or
You can now deploy tunnel configurations for multiple user locations (internal, external, and specific source regions) from a single GlobalProtect gateway.
Software Support: PAN-OS® 9.0 and later releases
You can now deploy tunnel configurations for multiple user locations (internal, external, and specific source regions) from a single GlobalProtect gateway. This enhancement simplifies gateway deployment and management by enabling users to connect to the same gateway from different locations. Based on the location from which they are connecting, users receive the associated tunnel configuration with specific authentication override, IP pool, split tunnel, and DNS settings. For example, you may need to provide secure network access for both branch office users and roaming mobile users through GlobalProtect. With this feature, you can configure a GlobalProtect gateway to allow traffic for local subnet access (for example, local network printing) to bypass the VPN tunnel when end users connect from a branch office but require all traffic to route through the VPN tunnel for inspection and policy enforcement when users connect remotely from an unknown or untrusted network (such as a coffee shop or library).
Use the following steps to configure a GlobalProtect gateway with location-based tunnel configurations:
- If you want to configure the gateway to support tunnel configurations for both internal and external users, you must configure the tunnel parameters. This ensures that all user traffic for this gateway (including internal user traffic) goes through the VPN tunnel for inspection and policy enforcement.
- Specify the config selection criteria (including the user location) for your client settings configuration.The config selection criteria indicates the criteria that users must match against when connecting to a GlobalProtect gateway. If a user matches all specified criteria (Source User,OS, andSource Address), the gateway deploys this client settings configuration to the user.
- Save the gateway configuration.ClickOKtwice.
- (Optional) Repeat steps 3-5 to configure additional client settings configurations for different user locations.
- If you configure a GlobalProtect gateway to support tunnel configurations for both internal and external users, you must configure the following options in the portal agent configuration:
- Internal host detection allows the GlobalProtect app to determine whether a user's endpoint is inside or outside the enterprise network.
- Enable users with this portal agent configuration to connect to the same gateway both internally and externally:
- You mustAddthe same gateway that you added to the Internal gateway configuration.
- Enter the same gatewayNamethat you entered in theInternalgateway configuration.
- Enter the sameFQDNorIPaddress that you entered in theInternalgateway configuration.
Recommended For You
Recommended videos not found.