https://live.paloaltonetworks.com/t5/globalprotect-discussions/globalprotect-hip-check-when-connecting-to-external-gateway/m-p/375200#M716 <P>No I don't think this is possible as HIP info is collected and sent after the GW connection is established.</P><P>You could add a deny policy at the top of your ruleset to deny all from sslvpn zone&nbsp; if HIP&nbsp; is "Not" a match.</P><P>this would save you adding to all other policies but you will then need to move up any policies that you may have that would allow traffic with a no match (If you have any).&nbsp;</P> Fri, 18 Dec 2020 12:22:56 GMT Mick_Ball 2020-12-18T12:22:56Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/globalprotect-hip-check-when-connecting-to-external-gateway/m-p/374952#M711 <P>I have GlobalProtect portal/gateway configured and working in my environment. External users can connect to the GP portal/gateway and receive network access.</P><P>&nbsp;</P><P>I have set up a HIP profile to check for domain joined and AV updated in the last 3 days. What I'd like to do is have the HIP check run during the initial connection to GP portal/gateway, so basically if HIP check passes, user is allowed to connect to GP, if HIP check fails, user is not allowed to connect to GP.</P><P>&nbsp;</P><P>I do not want to set the HIP check profile for SSLVPN zone on every single firewall rule (we have a huge ruleset). I only want the HIP check enforced on connection to the GP portal/gateway.</P><P>&nbsp;</P><P>I tried applying the HIP check profile to the firewall rule that allows GP connection from WAN, but that did not do the trick.</P> Thu, 17 Dec 2020 14:55:15 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/globalprotect-hip-check-when-connecting-to-external-gateway/m-p/374952#M711 TomKisiel 2020-12-17T14:55:15Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/globalprotect-hip-check-when-connecting-to-external-gateway/m-p/375200#M716 <P>No I don't think this is possible as HIP info is collected and sent after the GW connection is established.</P><P>You could add a deny policy at the top of your ruleset to deny all from sslvpn zone&nbsp; if HIP&nbsp; is "Not" a match.</P><P>this would save you adding to all other policies but you will then need to move up any policies that you may have that would allow traffic with a no match (If you have any).&nbsp;</P> Fri, 18 Dec 2020 12:22:56 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/globalprotect-hip-check-when-connecting-to-external-gateway/m-p/375200#M716 Mick_Ball 2020-12-18T12:22:56Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/globalprotect-hip-check-when-connecting-to-external-gateway/m-p/375233#M719 <P>I understand what you're saying, but trying to figure out how I would design that rule.</P><P>&nbsp;</P><P>Zone- SSLVPN</P><P>Source- User, Address- Any</P><P>HIP Profile- HIP-Checks</P><P>Destination- Zone, User, Address- Any</P><P>Action- Deny?</P> Fri, 18 Dec 2020 16:20:49 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/globalprotect-hip-check-when-connecting-to-external-gateway/m-p/375233#M719 TomKisiel 2020-12-18T16:20:49Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/globalprotect-hip-check-when-connecting-to-external-gateway/m-p/375234#M720 <P>OK I will try to keep it simple and us an OS as the example.</P><P>&nbsp;</P><P>what we are trying to achieve is to allow all win10&nbsp; devices access via the policies.</P><P>But we do not want to add this to all of the policies as there is hundreds of them.</P><P>&nbsp;</P><P>so...&nbsp; &nbsp;</P><P>objects/hip object&nbsp; &nbsp;add name win10-check&nbsp; &nbsp; &nbsp;general/host info/OS contains msoft windows 10.</P><P>&nbsp;</P><P>then..</P><P>&nbsp;</P><P>objects/hip profiles&nbsp; add&nbsp; name not-win10&nbsp; &nbsp; match add <U><STRONG>NOT&nbsp;</STRONG></U> win10-check</P><P>&nbsp;</P><P>then..</P><P>&nbsp;</P><P>policy add from sslvpn&nbsp; &nbsp;to private&nbsp; &nbsp;hip not-win10&nbsp; any any any deny</P><P>&nbsp;</P><P>i hope i got that correct as popping out...</P><P>&nbsp;</P><P>so...&nbsp; &nbsp;if you only allow a certain level in, AV etc. then block those that do not meet the requirement with a NOT hip profile.</P><P>&nbsp;</P><P>&nbsp;</P> Fri, 18 Dec 2020 16:44:18 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/globalprotect-hip-check-when-connecting-to-external-gateway/m-p/375234#M720 Mick_Ball 2020-12-18T16:44:18Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/globalprotect-hip-check-when-connecting-to-external-gateway/m-p/375238#M721 <P>&nbsp;</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="MickBall_0-1608310070352.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/29202i79F40E40F5698C5E/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="MickBall_0-1608310070352.png" alt="MickBall_0-1608310070352.png" /></span></P><P>&nbsp;</P> Fri, 18 Dec 2020 16:48:08 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/globalprotect-hip-check-when-connecting-to-external-gateway/m-p/375238#M721 Mick_Ball 2020-12-18T16:48:08Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/globalprotect-hip-check-when-connecting-to-external-gateway/m-p/375264#M722 <P>Perfect, this works!!</P> Fri, 18 Dec 2020 17:01:22 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/globalprotect-hip-check-when-connecting-to-external-gateway/m-p/375264#M722 TomKisiel 2020-12-18T17:01:22Z