PAN-OS: Configuring Multiple GlobalProtect Gateway Agent Configurations

Introduction: Tailoring the Client Experience

While a single GlobalProtect Gateway can serve many users, you might encounter scenarios where different groups of users connecting to that same Gateway require distinct settings pushed down to their GlobalProtect agents. For example, you might need different split-tunneling rules, DNS servers, or IP pools based on user group, operating system, or device compliance.

PAN-OS addresses this need by allowing you to configure multiple Agent Configurations within a single GlobalProtect Gateway definition. The firewall then uses matching criteria (like user group, OS, or HIP profile) to determine which specific configuration to apply to a connecting client.

This allows one Gateway infrastructure object to provide customized experiences and network access parameters for diverse user populations.

Why Use Multiple Gateway Agent Configurations?

Common scenarios where multiple configurations on a single Gateway are beneficial:

Different Access Levels (Split Tunneling): Providing full-tunnel access (all traffic via VPN) for some user groups (e.g., IT Admins) while enabling split-tunneling (only specific corporate traffic via VPN) for others (e.g., Sales team accessing only CRM).
Operating System Specific Settings: Pushing different DNS servers or specific Access Routes based on whether the user is connecting from Windows, macOS, or Linux.
Device Compliance (HIP-Based Settings): Assigning different IP pools or access routes based on the device's security posture (e.g., fully compliant devices get a standard IP, non-compliant devices get an IP on a restricted remediation network).
BYOD vs. Corporate Devices: Providing more restricted access (e.g., limited split-tunnel routes) for personally owned devices compared to corporate-managed devices identified via HIP checks or user groups.
Regional Differences: Assigning users connecting to the same Gateway different regional DNS servers based on their user group or source IP (though Source Region is more common at the Portal level for gateway selection).

Configuration Location and Key Concepts

Location within the Gateway

GUI Path: Network > GlobalProtect > Gateways > [Select/Edit Gateway Name] > Agent tab
Within the Agent tab, the primary area for multiple configurations is the Client Settings sub-tab.

Core Concept: Matching Criteria & Order

When a user connects to the Gateway, the firewall evaluates the list of configured Client Settings configurations from top to bottom .

Matching Criteria: Each Client Settings configuration block allows you to specify criteria that the connecting client must meet to receive *that specific* configuration. The key criteria are:
- Operating System: Select specific OS versions (Windows, macOS, Linux, iOS, Android, etc.).
- User and Group: Select specific Usernames or User Groups (requires User-ID integration).
- HIP Profile: Select a pre-configured Host Information Profile (requires HIP configured). You can often select multiple HIP profiles here to match different compliance states.
AND Logic: If multiple criteria (OS, User/Group, HIP) are configured within a single Client Settings block, the client must match *all* of them (AND logic) to receive that configuration.
First Match Wins: The firewall applies the first Client Settings configuration block in the list that matches the connecting client's attributes. No further blocks are evaluated for that client session.
Default/Fallback: It is crucial to have a "catch-all" or default configuration block at the bottom of the list , typically with no specific OS, User/Group, or HIP criteria selected, to apply standard settings to clients who don't match any of the more specific configurations above it.

Settings Defined Per Agent Configuration:

Within each Client Settings configuration block (matched by OS/User/HIP), you define the specific parameters for that group:

IP Pools: Assign addresses from specific pools.
DNS Settings: Assign Primary/Secondary DNS Servers and DNS Suffixes.
Split Tunnel (Access Routes): Define Include/Exclude routes for network traffic.
Split Tunnel (Domain/App): Define Include/Exclude rules based on FQDNs or Applications.
(Other settings like Network Services - DNS Proxy etc.)

Configuration Workflow Example

Scenario:

Provide full-tunnel access for the 'IT-Admins' group and split-tunnel access (only 10.0.0.0/8) for the 'Sales-Users' group, all connecting to the same Gateway.

Steps:

Navigate to Gateway Config: Go to Network > GlobalProtect > Gateways > [Your Gateway] > Agent tab > Client Settings sub-tab.
Configure IT Admins Settings (Top Rule):
- Click Add .
- Name: IT-Admins-FullTunnel
- User and Group Tab: Select the 'IT-Admins' group.
- Network Settings Tab: Assign an IP Pool (e.g., `GP-IT-Pool`), assign appropriate DNS Servers.
- Split Tunnel Tab: Leave 'Access Route' **empty** (this typically signifies full tunnel).
- Click OK.
Configure Sales Users Settings (Second Rule):
- Click Add again.
- Name: Sales-SplitTunnel
- User and Group Tab: Select the 'Sales-Users' group.
- Network Settings Tab: Assign an IP Pool (e.g., `GP-Sales-Pool`), assign appropriate DNS Servers.
- Split Tunnel Tab: Under 'Access Route', click Add and enter 10.0.0.0/8 (or the specific internal subnets they need).
- Click OK.
Configure Default Settings (Bottom Rule - IMPORTANT):
- Click Add one more time.
- Name: Default-CatchAll
- User and Group Tab: Leave this empty (or set to 'any').
- OS Tab: Leave as 'any'.
- HIP Profile Tab: Leave as 'any'.
- Network Settings Tab: Assign a default IP Pool and DNS servers.
- Split Tunnel Tab: Configure default access routes (e.g., maybe restrict access completely or provide minimal access).
- Click OK.
Order the Rules: Ensure the rules are ordered correctly using the up/down arrows:
1. IT-Admins-FullTunnel (Most Specific User Group)
2. Sales-SplitTunnel (Next Specific User Group)
3. Default-CatchAll (Least Specific - matches anyone not matching above)
Commit the configuration.

How it Works: Processing Logic Visualization

flowchart TD
    A[GP Client Connects] --> B{Evaluate Gateway Client Settings};
    B --> C{Check Config 1: IT-Admins?};
    C -- No Match --> D{Check Config 2: Sales-Users?};
    D -- Match! --> E[Apply Config 2: IP Pool: GP-Sales-Pool, DNS: Sales DNS, Split Tunnel: 10.0.0.0/8];
    E --> F[Connection Established];
    D -- No Match --> G{Check Config 3: Default?};
    G -- Match! --> H[Apply Config 3: Default Settings];
    H --> F;

    style E fill:#d5f5e3,stroke:#58d68d,stroke-width:2px;
    style H fill:#fdebd0,stroke:#f5b041,stroke-width:2px;

Simplified decision flow for selecting Agent Configuration based on user group.

Gotchas and Caveats

Ordering is Critical: The first matching configuration from the top down is applied. A broad rule placed above a specific rule will prevent the specific rule from ever matching.
Missing Default/Catch-All: Forgetting to add a default configuration at the bottom can result in users who don't match any specific criteria failing to get necessary settings like an IP address or DNS, preventing a successful connection.
Overlapping Criteria: If criteria overlap significantly between rules, it can be hard to predict which rule a user will match. Try to make criteria as distinct as possible.
User-ID/HIP Dependency: Matching based on User/Group requires User-ID to be correctly configured and mapping available *before* the gateway authentication occurs. Matching based on HIP requires HIP configuration and reporting to be working.
Troubleshooting Complexity: With many configurations, pinpointing why a user received specific settings requires checking the user's attributes (OS, group membership, HIP status) against the ordered list of configurations.

Best Practices

Use Clear Naming Conventions: Name each Agent Configuration descriptively (e.g., `Win-Corp-Compliant-Split`, `Mac-BYOD-Restricted`).
Order Most Specific to Least Specific: Place configurations with the most granular criteria (e.g., specific user + specific OS + specific HIP profile) at the top, followed by broader criteria, ending with the default/catch-all configuration at the bottom.
Always Include a Default: Ensure a configuration exists at the bottom of the list with no specific matching criteria (`any` OS, `any` User/Group, `any` HIP) to handle users who don't fit into specific categories. Define appropriate baseline settings for this default group.
Leverage User Groups and HIP Profiles: Use AD groups or HIP Profiles for matching rather than individual usernames whenever possible for better scalability and manageability.
Keep it Simple (Initially): Start with fewer configurations and add more complexity only as clearly needed.
Test Each Scenario: When adding or modifying configurations, test connections using clients that match each distinct set of criteria (different OS, different user groups, different compliance states) to ensure they receive the correct settings.
Document Your Logic: Use the Description field for each configuration block to explain its purpose and matching criteria.

PCNSE Exam Focus

For the PCNSE exam, regarding multiple Gateway Agent Configurations:

Know that a single Gateway can apply different settings to different clients.
Understand that this is configured under the Gateway's Agent > Client Settings tab.
Identify the key matching criteria used to differentiate clients: OS, User/Group, HIP Profile .
Understand the top-down processing order and that the first match applies .
Recognize the importance of a default/catch-all configuration at the bottom.
Know which common settings are defined within each configuration block (IP Pool, DNS, Split Tunnel/Access Routes).
Be able to analyze a scenario and determine which configuration a client would receive based on its attributes and the configured order.