topic Re: Use HIPS to assign Gateway IP Address for external clients in GlobalProtect Discussions

Use HIPS to assign Gateway IP Address for external clients

BenBrazil — Wed, 13 Mar 2024 15:40:28 GMT

Hi,

I am looking at how to assign different IP Pool addresses to clients based on a HIPS check.

We are currently achieving this by assigning a different IP Pool to users based on user group membership of an Active Directory group. When the client authenticates with the Gateway, it receives a Pre-logon IP Address - lets call this an IP Address in Pool A. We want the majority of the client machines to have an IP Address in Pool A, so when the user logs into their client, they continue to use that same IP Address.

The clients that we want to have an IP Address in Pool B, initially receive an IP Address in Pool A as it is received in the pre-logon phase. When the user logs in, the Gateway configuration evaluates AD group membership and will assign an IP Address in Pool B as long as the PANGPS service is restarted and the client reauthenticates with the Gateway. This is somewhat convoluted but works.

I'd now like to change the way this has been implemented to use HIPS so that the client, depending on the HIPS check will either receive an IP address from Pool A or from Pool B at the pre-logon stage. From what I've been reading it looks like I would do the following:

The HIPS evaluation on the client is going to be based on a registry key, so I would create a HIP Data Collection custom registry check on the pre-logon Agent configuration on the Portal.
Create a HIPS Object
Create a HIPS Profile

Is it then possible to use the HIPS configuration as the selection criteria to allocate an IP Address from IP Pool B? In the Gateway configuration for the agent, the only selection criteria options are based on Source User, OS, Source Address or IP Address. It doesn't appear to be obvious how to use the HIPS profile as a selection criteria to allocate an IP Pool.

Any suggestions would be appreciated.

Thanks,

Ben

Re: Use HIPS to assign Gateway IP Address for external clients

TomYoung — Fri, 15 Mar 2024 02:05:14 GMT

Hi @BenBrazil ,

As you mentioned, HIP is not available under the gateway Config Selection Criteria. The bigger question is "What do you want to use the different IP pools to accomplish?" If those different pools will be used in different security policy rules, then use the HIP Profiles in the rules instead of the IP pools.

Thanks,

Tom

Re: Use HIPS to assign Gateway IP Address for external clients

BenBrazil — Mon, 18 Mar 2024 09:31:03 GMT

Thanks Tom,

The design around the different IP Pool is to prevent access to resources. Agreed, this could be accomplished by a HIPS profile and deny access on policies.

I found a similar post where a suggestion was to create a new Gateway and use the portal to direct the client to the new gateway. The Portal allows for a custom check which could look for a registry key and therefore achieve a similar result to a HIPS check.

Is this a reasonable approach?

Thanks,

Ben

Re: Use HIPS to assign Gateway IP Address for external clients

TomYoung — Mon, 18 Mar 2024 13:05:39 GMT

Hi @BenBrazil ,

That could be a reasonable approach. How would you "direct the client to the new gateway"?

Using IP pools for security policy is a very common approach with many vendors. It generally involves 3 steps:

Identify client attribute (user, group, machine attribute, etc.).
Assign IP pool based upon attribute.
Use IP pool in security policy.

With User-ID and Device-ID, you can use the attribute (user, group, or HIP Profile) directly in the security policy and skip step 2. This allows for the security policy to be more readable (without comments) as long as the user/group/HIP Profiles are well named, e.g. HR has access to ___ or non-corporate devices have access to ___.

You could also create objects for you IP Pools and give them good names to accomplish the same purpose, but skipping step 2 makes for a little less complicated approach. BTW, you need a GlobalProtect license for HIP checks.

Thanks,

Tom