Group Policy General Options

Navigation Path

Objects > Object Management > VPN > Group Policy, click Click Add Group Policy or choose a current policy to edit., then select the General tab.

VPN Protocols Fields

Specify the types of Remote Access VPN tunnels that can be used when applying this group policy. SSL or IPsec IKEv2.

IP Address Pools

Specifies the IPv4 address assignment that is applied based on address pools that are specific to user-groups in Remote Access VPN. For Remote Access VPN, you can assign IP address from specific address pools for identified user groups using RADIUS/ISE for authorization. You can seamlessly perform policy enforcement for user or user groups in systems which are not identity-aware, by configuring particular Group Policy as RADIUS Authorization attribute (GroupPolicy/Class), for a particular user group. For example, you have to select a specific address pool for contractors and policy enforcement using those addresses to allow restricted access to internal network.

The order of preference that FTD device assigns the IPv4 Address Pools to the clients:

  1. RADIUS attribute for IPv4Address Pool

  2. RADIUS attribute for Group Policy

  3. Address Pool in Group Policy mapped to a Connection Profile

  4. IPv4Address Pool in Connection Profile

Some limitations around using IP address pools in Group Policy:

  • IPv6 address pool is not supported.

  • Maximum of six IPv4 address pools can be configured in a Group Policy.

  • Deployment failures are seen when address pools in use are modified. You must logoff all the users before making any changes to the address pools.

  • When address pools are renamed or overlapping address pools are configured, deployment could fail. You must deploy the changes by removing the old address pool and later deploying the changed address pool.

    Some troubleshooting commands :

    • show ip local pool <address-pool-name>
    • show vpn-sessiondb detail anyconnect
    • vpn-sessiondb loggoff all noconfirm

Banner Fields

Specifies the banner text to present to users at login. The length can be up to 491 characters. There is no default value. The IPsec VPN client supports full HTML for the banner, however, the AnyConnect client supports only partial HTML. To ensure that the banner displays properly to remote users, use the /n tag for IPsec clients, and the <BR> tag for SSL clients.

DNS/WINS Fields

Domain Naming System (DNS) and Windows Internet Naming System (WINS) servers. Used for AnyConnect client name resolution.

  • Primary DNS Server and Secondary DNS Server—Choose or create a Network Object which defines the IPv4 or IPv6 addresses of the DNS servers you want this group to use.

  • Primary WINS Server and Secondary WINS Server—Choose or create a Network Object containing the IP addresses of the WINS servers you want this group to use.

  • DHCP Network Scope—Choose or create a Network Object containing a routeable IPv4 address on the same subnet as the desired pool, but not within the pool. The DHCP server determines which subnet this IP address belongs to and assigns an IP address from that pool. If not set properly, deployment of the VPN policy fails.

    If you configure DHCP servers for the address pool in the connection profile, the DHCP scope identifies the subnets to use for the pool for this group. The DHCP server must also have addresses in the same subnet identified by the scope. The scope allows you to select a subset of the address pools defined in the DHCP server to use for this specific group.

    If you do not define a network scope, the DHCP server assigns IP addresses in the order of the address pools configured. It goes through the pools until it identifies an unassigned address.

    We recommend using the IP address of an interface whenever possible for routing purposes. For example, if the pool is 10.100.10.2-10.100.10.254, and the interface address is 10.100.10.1/24, use 10.100.10.1 as the DHCP scope. Do not use the network number. You can use DHCP for IPv4 addressing only. If the address you choose is not an interface address, you might need to create a static route for the scope address.

    LINK-SELECTION (RFC 3527) and SUBNET-SELECTION (RFC 3011) are currently not supported.

  • Default Domain—Name of the default domain. Specify a top-level domain, for example, example.com.

Split Tunneling Fields

Split tunneling directs some network traffic through the VPN tunnel (encrypted) and the remaining network traffic outside the VPN tunnel (unencrypted or “in the clear”).

  • IPv4 Split Tunneling / IPv6 Split Tunneling—By default, split tunneling is not enabled. For both IPv4 and IPv6 it is set to Allow all traffic over tunnel. Left as is, all traffic from the endpoint goes over the VPN connection.

    To configure split tunneling, choose the Tunnel networks specified below or Exclude networks specified below policy. Then configure an access control list for that policy.

  • Split Tunnel Network List Type—Choose the type of Access List you are using. Then choose or create a Standard Access List or Extended Access List. See Access List for details.

  • DNS Request Split Tunneling—Also known as Split DNS. Configure the DNS behaviour expected in your environment.

    By default, split DNS is not enabled and set to Send DNS request as per split tunnel policy. Choosing Always send DNS request over tunnel forces all DNS requests to be sent over the tunnel to the private network.

    To configure split DNS, choose Send only specified domains over tunnel, and enter the list of domain names in the Domain List field. These requests are resolved through the split tunnel to the private network. All other names are resolved using the public DNS server. Enter up to ten entries in the list of domains, separated by commas. The entire string can be no longer than 255 characters.