topic Re: Globalprotect with Cisco ISE in GlobalProtect Discussions

Globalprotect with Cisco ISE

charles07 — Sat, 13 Mar 2021 05:50:34 GMT

we are using PA Globalprotect for Remote VPN users. Currently planning to implement Cisco ISE posture for RVPN clients.

how can I integrate Globalprotect with Cisco ISE posture module.

Re: Globalprotect with Cisco ISE

PavelK — Mon, 13 Sep 2021 13:08:25 GMT

Thank you @charles07 for posting question.

The ultimate answer is no. The Cisco ISE posture module will only work with Cisco AnyConnect client. Unfortunately there is no integration support for 3d party vpn clients. This information is backed by my Cisco SE. You can still use ISE for authentication of Global Protect clients. If posture check by ISE is a must, then you will unfortunately have to go with AnyConnect.

Kind Regards

Pavel

Re: Globalprotect with Cisco ISE

TomYoung — Mon, 13 Sep 2021 14:31:07 GMT

Hi @charles07 ,

Have you considered using HIP-Based Policy Enforcement? This is the PANW equivalent of ISE posture. This feature is integrated with your existing GlobalProtect (GP) clients. However, it does require a GP license. GP is easy to integrate with ISE as a RADIUS server. The easiest solution would be to let the firewall determine HIP compliance and access, but that possibly could be accomplished with ISE using VSAs.

https://docs.paloaltonetworks.com/globalprotect/8-1/globalprotect-admin/host-information/configure-hip-based-policy-enforcement.html

Regards,

Tom

Re: Globalprotect with Cisco ISE

ceapen01 — Tue, 14 Sep 2021 09:05:22 GMT

Hi @TomYoung GP HIP profile is not equivalent to ISE posture. Much features with ISE are missing in GP HIP.

Re: Globalprotect with Cisco ISE

TomYoung — Tue, 14 Sep 2021 20:49:33 GMT

That statement is not supported by facts. (I'm not saying you don't have any. You didn't state any.) A HIP object can be configured to check mobile device info/settings/apps, PC patch info, personal firewalls, anti-malware/virus software, disk backup, disk encryption, DLP software, certificates, process checks, registry entries, etc. What specific features does ISE Posture check that are not included? I am interested in knowing. I would like to keep this forum technical.

Re: Globalprotect with Cisco ISE

dcawood1 — Fri, 21 Jun 2024 14:50:42 GMT

I haven't found a way to check certs with HIP after login. This seems like it should... be something that GP can do via HIP but Palo TAC is not sure how and there is no documentation on how to check for a cert on a pc/mac. If anyone has found a way - please let me know. So far, seems Palo professional services is the only way to get it done since no one bothered to document this in the administration guide.

Re: Globalprotect with Cisco ISE

TomYoung — Fri, 21 Jun 2024 20:06:56 GMT

Hi @dcawood1 ,

Here is where you check certificates with HIP:

You could also configure certificate authentication and/or username/password.

Thanks,

Tom

Re: Globalprotect with Cisco ISE

dcawood1 — Fri, 21 Jun 2024 21:35:35 GMT

Hi @TomYoung , I have a couple of hip cert checks (issuer&certficate-template-oid) and they match on my laptop. I basically exported the issuing cert for my laptop machine cert from mmc. However, when another test user connects to the test gateway - no cert info is collected from his machine. Any idea what would be causing this and is there another cert I should be using for the cert profile for these hip matches. I haven't found any information yet that would clue me into what I am doing wrong here.

Steps taken:

1 - export cert that shows up as the issuing cert for my laptop

2 - import cert to portal/gateway

3 - create cert profile and add imported cert

4 - create hip objects that validate issuer/template criteria

5 - add cert profile to portal/agent - hip data collection