topic Re: How to restrict access only to certified devices for users in an AD user group but not a different group in GlobalProtect Discussions

How to restrict access only to certified devices for users in an AD user group but not a different group

skuo2020 — Wed, 28 Apr 2021 16:22:35 GMT

LDAP authentication is required for all the users. On top of that, we also want to restrict access to only certified devices for employees (must use company machines) but not contractors (can use private machines). Device certifications are pushed out through GPO to company devices. Employees and contractors belong to different AD user groups. How can it be done?

Re: How to restrict access only to certified devices for users in an AD user group but not a different group

Sec101 — Wed, 28 Apr 2021 21:45:05 GMT

HIP checks is what you need

Re: How to restrict access only to certified devices for users in an AD user group but not a different group

skuo2020 — Tue, 04 May 2021 14:25:35 GMT

If I understand correctly, to use HIP we would have to plant a registry entry to identify those interested machines and then use security policy to control what they are allowed or not allowed to access. GP only collects HIP data but not doing any access controls which is not an ideal solution I am looking for.

Portal allows multiple Client Authentication and multiple Agent. Somewhere in there I believe can do what I am looking for somehow.

Re: How to restrict access only to certified devices for users in an AD user group but not a different group

laurence64 — Wed, 05 May 2021 09:17:08 GMT

Following on from @Sec101 it is true that GP only collects the HIP data, but that data can then be used in a security policy to allow or deny the traffic based on the information contained within, so for instance in this case I would check for the certificate and put a security policy that allows the traffic for that group including the HIP check in the policy, if the device fails the HIP check the firewall will fall through to a rule underneath that could pick up the remaining users and provide that connectivity.

Re: How to restrict access only to certified devices for users in an AD user group but not a different group

Sec101 — Fri, 14 May 2021 18:48:33 GMT

@laurence64

HIPS have predefined- and some custom checks you can look for on an endpoint. The firewall will enforce on those HIP checks if you have them in security policy

Re: How to restrict access only to certified devices for users in an AD user group but not a different group

laurence64 — Tue, 18 May 2021 16:04:28 GMT

Isn't that what I said ?