https://live.paloaltonetworks.com/t5/prisma-access-discussions/use-hip-to-deny-logon-to-pa-with-exception/m-p/425517#M237 <P>Also before that make a rule with the correct groups so that you don't match the blocking rule:</P><P>&nbsp;</P><P>&nbsp;</P><P><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClXWCA0" target="_blank">How to Add Groups or Users to Security Policy - Knowledge Base - Palo Alto Networks</A></P> Mon, 09 Aug 2021 13:06:40 GMT nikoolayy1 2021-08-09T13:06:40Z https://live.paloaltonetworks.com/t5/prisma-access-discussions/use-hip-to-deny-logon-to-pa-with-exception/m-p/408338#M195 <P>Has anyone effectively used HIP to deny login to Prisma Access? One of the biggest challenges we had with AnyConnect (and a large reason we are moving away) is that there were no native methods for controlling which device a user was connecting with.</P><P>&nbsp;</P><P>I have built a Security Pre-Rule that references the Domain-joined HIP Policy, and I can see the matches in our monitor tab. I would like to deny logon to anyone who does not satisfy this rule EXCEPT those who are members of a specific Active Directory user group.</P><P>&nbsp;</P><P>I figure the rules would look something like this:</P><P>1) HIP Match on domain = allowed to connect to Portal URL</P><P>2) Match on security group membership = allowed to connect to Portal URL</P><P>3) Deny all connections to Portal URL.</P><P>&nbsp;</P><P>Can anyone confirm that this would be effective?</P> Fri, 21 May 2021 15:46:28 GMT https://live.paloaltonetworks.com/t5/prisma-access-discussions/use-hip-to-deny-logon-to-pa-with-exception/m-p/408338#M195 Thrace 2021-05-21T15:46:28Z https://live.paloaltonetworks.com/t5/prisma-access-discussions/use-hip-to-deny-logon-to-pa-with-exception/m-p/425102#M232 <P>Have you checked the article below?</P><P>&nbsp;</P><P>&nbsp;</P><P><A href="https://docs.paloaltonetworks.com/prisma/prisma-access/prisma-access-panorama-admin/redistribute-hip-information-and-run-hip-reports.html" target="_blank">https://docs.paloaltonetworks.com/prisma/prisma-access/prisma-access-panorama-admin/redistribute-hip-information-and-run-hip-reports.html</A></P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>For using HIP in the security policy :</P><P>&nbsp;</P><P><A href="https://docs.paloaltonetworks.com/globalprotect/10-1/globalprotect-admin/host-information/configure-hip-based-policy-enforcement.html" target="_blank">https://docs.paloaltonetworks.com/globalprotect/10-1/globalprotect-admin/host-information/configure-hip-based-policy-enforcement.html</A></P> Fri, 06 Aug 2021 12:33:01 GMT https://live.paloaltonetworks.com/t5/prisma-access-discussions/use-hip-to-deny-logon-to-pa-with-exception/m-p/425102#M232 NikolayDimitrov 2021-08-06T12:33:01Z https://live.paloaltonetworks.com/t5/prisma-access-discussions/use-hip-to-deny-logon-to-pa-with-exception/m-p/425517#M237 <P>Also before that make a rule with the correct groups so that you don't match the blocking rule:</P><P>&nbsp;</P><P>&nbsp;</P><P><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClXWCA0" target="_blank">How to Add Groups or Users to Security Policy - Knowledge Base - Palo Alto Networks</A></P> Mon, 09 Aug 2021 13:06:40 GMT https://live.paloaltonetworks.com/t5/prisma-access-discussions/use-hip-to-deny-logon-to-pa-with-exception/m-p/425517#M237 nikoolayy1 2021-08-09T13:06:40Z