topic Re: How can i apply different HIP Policy for external users? in GlobalProtect Discussions

How can i apply different HIP Policy for external users?

omertaskin — Tue, 05 Sep 2023 12:05:12 GMT

Hello Dear Community,

I have 2 SSL VPN rules assigned to my username in Palo Alto firewall. For testing purposes, I added a HIP profile to only one of them. The device I tested does not comply with the HIP profile.

The VPN connection is notifyed as failed. The rule to which I applied the HIP Profile is not working because the computer I'm using does not comply with the HIP profile.
That's OK

I believe that the VPN connection should not be established since the computer does not comply with the HIP profile.

When I did some research, they told me that I should apply the HIP profile to the SSLVPN WAN rule. However, it's not possible for me to apply the same policy to consultants/external users. What should I do exactly here?

Do I need a new VPN Gateway? Or should I add a new WAN rule and apply HIP to it? Please enlighten me in simple terms.

Re: How can i apply different HIP Policy for external users?

BPry — Tue, 05 Sep 2023 12:57:31 GMT

@omertaskin,

If you wanted to use a HIP Profile on one of your security entries for corporate users and not for consultant or external users, you would simply build the security entry targeting the specific group of users. So as an example of all internal users were in a group called 'Internal-Users' and everyone else was in a group called 'Consultants', you would simply build a rule for each group. In the 'Internal-Users' group you would include the HIP-profile that you wish to target so that anyone matching that HIP profile hits the rule in question. Then with the 'Consultants' group you would simply not include that HIP-profile as match criteria.

Re: How can i apply different HIP Policy for external users?

omertaskin — Wed, 06 Sep 2023 05:53:42 GMT

It has become even more complex.
I have 5 groups: software, dba, external, internal, etc...
I can create a lot of HIP profiles, that's not a problem, but I'm stuck on how to apply them targeting these groups. This part is currently confusing me.
GP > GW > agent > client settings, here I have 5 user types and integration with Office 365 for login authentication. Can I apply it from here? It's possible? I guess no.

Can I only add them from the device section within the firewall access rules? Is there any other option? I'm using version 11.

Company's computer feature: joined domain, company av, company dlp, generic hostname External comp. they have not same feature, you know..

What's is your advice now?
thanks for your interest