https://live.paloaltonetworks.com/t5/globalprotect-articles/globalprotect-user-device-context-and-compliance/ta-p/322235 <DIV class="lia-message-template-content-zone"> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="GlobalProtect: User/Device Context and Compliance" style="width: 960px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/25102i67F8777625282990/image-size/large?v=v2&amp;px=999" role="button" title="GlobalProtect User Device Context Compliance.png" alt="GlobalProtect: User/Device Context and Compliance" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">GlobalProtect: User/Device Context and Compliance</span></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P data-unlink="true"><SPAN>In my previous article, "</SPAN><A title="GlobalProtect: Expanded Setup | LIVEcommunity | Palo Alto Networks" href="https://live.paloaltonetworks.com/t5/General-Articles/GlobalProtect-Expanded-Setup/ta-p/322234" target="_self">GlobalProtect: Expanded Setup</A><SPAN>," we covered the expanded setup of GlobalProtect, which included multiple authentication types, as well as the creation of an internal gateway. </SPAN></P> <P>&nbsp;</P> <P data-unlink="true"><SPAN>In this post, we are going to modify security policy matching based on user identity and device context provided via the GlobalProtect app. We will also enable notifications to the end user based on compliance of the endpoint. You can see a diagram of the environment&nbsp;</SPAN><A href="https://live.paloaltonetworks.com/t5/Blogs/GlobalProtect-Overview/ba-p/322170" target="_self">here</A><SPAN>.</SPAN><BR /><BR /><SPAN>The value in leveraging user identity and device context in security policy along with end user notifications allow for greater visibility as well as more granular control over what users can access. This same methodology is applicable regardless of user location, and best practices dictate that they should be leveraged wherever possible. If a user is outside of what is required in order to access resources, they can be notified or mapped to a different rule to provide the minimum level of access required in order to become compliant.</SPAN></P> <P>&nbsp;</P> <P><STRONG>NOTE:</STRONG>&nbsp;<SPAN>This article assumes that you have already followed the previous articles in this series.</SPAN></P> <P>&nbsp;</P> <H2><STRONG>Part III - User/Device Context and Compliance</STRONG></H2> <UL> <LI>Navigate to<SPAN>&nbsp;</SPAN><STRONG>Objects &gt; GlobalProtect &gt; HIP Objects &gt; Add</STRONG>&nbsp;to create one or more test objects that are applicable to your environment</LI> <UL class="lia-list-style-type-circle"> <LI>Name the<SPAN>&nbsp;</SPAN><STRONG>HIP Object</STRONG>&nbsp;and enable, checking for something specific to your environment. In my case, I run Cortex XDR Prevent on my workstations, and I will be also testing via an iPhone, so I will create two objects called<SPAN>&nbsp;</SPAN><I>AV</I>&nbsp;and<SPAN>&nbsp;</SPAN><I>iPhone</I>.</LI> </UL> </UL> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="HIP Object - General Tab - AV" style="width: 640px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/25103i1B763A4014E755F1/image-size/large?v=v2&amp;px=999" role="button" title="HIP Object - General Tab.png" alt="HIP Object - General Tab - AV" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">HIP Object - General Tab - AV</span></span></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="HIP Object - Anti-Malware Tab" style="width: 640px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/25104i197993EFD04BC6B1/image-size/large?v=v2&amp;px=999" role="button" title="HIP Object - Anit-Malware Tab.png" alt="HIP Object - Anti-Malware Tab" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">HIP Object - Anti-Malware Tab</span></span></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="HIP Object - General Tab - iPhone" style="width: 640px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/25105iC632113C346AE636/image-size/large?v=v2&amp;px=999" role="button" title="HIP Object - General Tab - iPhone.png" alt="HIP Object - General Tab - iPhone" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">HIP Object - General Tab - iPhone</span></span></P> <UL> <LI>Navigate to<SPAN>&nbsp;</SPAN><STRONG>Objects &gt; GlobalProtect &gt; HIP Profiles &gt; Add</STRONG>&nbsp;to create a profile that references both of the previously created objects</LI> <UL class="lia-list-style-type-circle"> <LI><STRONG>NOTE:</STRONG>&nbsp;In the screenshot below, the profile will match based on either of the previously created objects</LI> </UL> </UL> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="HIP Profile - Compliant HIP Profile" style="width: 501px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/25106iE61942A6BC6E2797/image-size/large?v=v2&amp;px=999" role="button" title="HIP Profile - Compliant HIP Profile.png" alt="HIP Profile - Compliant HIP Profile" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">HIP Profile - Compliant HIP Profile</span></span></P> <UL> <LI>Navigate to<SPAN>&nbsp;</SPAN><STRONG>Network &gt; GlobalProtect &gt; Gateways&nbsp;&gt;</STRONG>&nbsp;open each of the existing gateways<SPAN>&nbsp;</SPAN><STRONG>&gt; Agent &gt; HIP Notification &gt; Add</STRONG> <UL class="lia-list-style-type-circle"> <LI>Select the<SPAN>&nbsp;</SPAN><STRONG>Host Information</STRONG>&nbsp;profile that was previously created</LI> <LI>On the<SPAN>&nbsp;</SPAN><STRONG>Match Message&nbsp;</STRONG>tab <UL class="lia-list-style-type-square"> <LI>Check the&nbsp;<STRONG>Enable</STRONG>&nbsp;box</LI> <LI>Enter a message</LI> </UL> </LI> <LI>On the<SPAN>&nbsp;</SPAN><STRONG>Not Match Message</STRONG>&nbsp;tab <UL class="lia-list-style-type-square"> <LI>Check the<SPAN>&nbsp;</SPAN><STRONG>Enable</STRONG>&nbsp;box</LI> <LI>Enter a message</LI> </UL> </LI> </UL> </LI> </UL> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="HIP Notification - Compliant HIP Profile - Match Message" style="width: 640px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/25107iE5184DE782DDF63D/image-size/large?v=v2&amp;px=999" role="button" title="HIP Notification - Compliant HIP Profile - Match Message.png" alt="HIP Notification - Compliant HIP Profile - Match Message" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">HIP Notification - Compliant HIP Profile - Match Message</span></span></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="HIP Notification - Compliant HIP Profile - Not Match Message" style="width: 640px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/25108iF4AF13AD5F77EB35/image-size/large?v=v2&amp;px=999" role="button" title="HIP Notification - Compliant HIP Profile - Not Match Message.png" alt="HIP Notification - Compliant HIP Profile - Not Match Message" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">HIP Notification - Compliant HIP Profile - Not Match Message</span></span></P> <UL> <LI>Navigate to<SPAN>&nbsp;</SPAN><STRONG>Policies &gt; Security</STRONG>&nbsp;to create rules based on user group and device context</LI> <UL class="lia-list-style-type-circle"> <LI>As shown below, we are adding a user group and HIP profile as match criteria</LI> </UL> </UL> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Security Policies - Add User Group and HIP Profile" style="width: 640px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/25109i07651CBB4BAB5E42/image-size/large?v=v2&amp;px=999" role="button" title="Security Policies - Add User Group and HIP Profile.png" alt="Security Policies - Add User Group and HIP Profile" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Security Policies - Add User Group and HIP Profile</span></span></P> <UL> <LI><STRONG>Commit</STRONG>&nbsp;the configuration</LI> </UL> <DIV>You should now be able to log into GlobalProtect and see a message similar to the following:</DIV> <DIV><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="GlobalProtect - Home Internal Gateway Compliant" style="width: 329px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/25110i1CF490EEC09EB21D/image-size/large?v=v2&amp;px=999" role="button" title="GlobalProtect - Home Internal Gateway Compliant.png" alt="GlobalProtect - Home Internal Gateway Compliant" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">GlobalProtect - Home Internal Gateway Compliant</span></span></DIV> <DIV>&nbsp;</DIV> <DIV> <P>You should also be able to see rule matches via the<SPAN>&nbsp;</SPAN><STRONG>Traffic&nbsp;logs</STRONG>.</P> <P>&nbsp;</P> <P>In my next article, "<A title="GlobalProtect: Authentication Policy with MFA | LIVEcommunity | Palo Alto Networks" href="https://live.paloaltonetworks.com/t5/General-Articles/GlobalProtect-Authentication-Policy-with-MFA/ta-p/322236" target="_self">GlobalProtect: Authentication Policy with MFA</A>," we will configure authentication policy with MFA for both HTTP and non-HTTP access to sensitive resources.</P> </DIV> </DIV> Mon, 11 Jul 2022 15:30:34 GMT SpencerMitchell 2022-07-11T15:30:34Z https://live.paloaltonetworks.com/t5/globalprotect-articles/globalprotect-user-device-context-and-compliance/ta-p/322235 <P><SPAN>See how to modify security policy matching based on user identity and device context provided via the GlobalProtect app.</SPAN></P> Mon, 11 Jul 2022 15:30:34 GMT https://live.paloaltonetworks.com/t5/globalprotect-articles/globalprotect-user-device-context-and-compliance/ta-p/322235 SpencerMitchell 2022-07-11T15:30:34Z https://live.paloaltonetworks.com/t5/globalprotect-articles/globalprotect-user-device-context-and-compliance/tac-p/1232819#M154 <P>Hi,<BR /><BR />Struggling to find any documentation related to user based policy configuration. Yours is the closest I could find.<BR /><BR />I managed to setup auth for user following documentation here :&nbsp;<A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g0000008U48CAE" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g0000008U48CAE</A><BR />but there is no mention of how we can add a user authenticated with SAML profile on security policies there.<BR /><BR />How do we manage to add an azure saml authenticated user to security policy?</P><P>Is it via Cloud Identity engine + User ID?<BR /><BR />Kindly help</P> Sun, 29 Jun 2025 22:15:44 GMT https://live.paloaltonetworks.com/t5/globalprotect-articles/globalprotect-user-device-context-and-compliance/tac-p/1232819#M154 Proton951 2025-06-29T22:15:44Z https://live.paloaltonetworks.com/t5/globalprotect-articles/globalprotect-user-device-context-and-compliance/tac-p/1232905#M155 <P>Hello,</P> <P>&nbsp;</P> <P>I like to think of User-ID as synonymous with all things identity. With this in mind, there are two different aspects of User-ID that we need to configure as it relates to traditional GlobalProtect or Prisma Access: authentication and authorization. Think of authentication as what grants the initial login. A user logs in (is authenticated). Think of authorization as what resources are accessible by a user once they are connected (what they are authorized to access).&nbsp;</P> <P>&nbsp;</P> <P data-unlink="true">In the case of Azure, it can be used both for authentication and authorization. You would configure Azure as an iDP for authentication&nbsp;(see <A href="https://docs.paloaltonetworks.com/cloud-identity/cloud-identity-engine-getting-started/authenticate-users-with-the-cloud-identity-engine" target="_self">here</A>), and use Azure AD for authorization&nbsp;(see <A href="https://docs.paloaltonetworks.com/cloud-identity/cloud-identity-engine-getting-started/choose-directory-type/configure-a-cloud-based-directory/set-up-azure" target="_self">here</A>). If you just set up SAML auth, this is not enough to be able to leverage user/group information in security policy. You also have to setup Azure AD in CIE.</P> <P>&nbsp;</P> Mon, 30 Jun 2025 16:00:53 GMT https://live.paloaltonetworks.com/t5/globalprotect-articles/globalprotect-user-device-context-and-compliance/tac-p/1232905#M155 SpencerMitchell 2025-06-30T16:00:53Z https://live.paloaltonetworks.com/t5/globalprotect-articles/globalprotect-user-device-context-and-compliance/tac-p/1234335#M157 <P>Thanks Mitchel,<BR /><BR />I have figured it out.<BR />Was able to setup a CIE with Azure Entra then use it as the user accounts on Policies with users authenticated using SAML prepared as in the 1st link I sent.<BR />I will probable come up with a combined doc of it and share its link here aswell so someone that stumbles into it later could save some time<BR /><BR />Regards</P> Sun, 20 Jul 2025 17:50:23 GMT https://live.paloaltonetworks.com/t5/globalprotect-articles/globalprotect-user-device-context-and-compliance/tac-p/1234335#M157 Proton951 2025-07-20T17:50:23Z