https://live.paloaltonetworks.com/t5/prisma-access-discussions/applying-different-hip-checks-to-different-global-protect-app/m-p/578877#M703 <P>Hello,</P> <P>&nbsp;</P> <P>We're trying to figure out if there's a way to have different HIP Profiles attached to different Global Protect App groups. At the highest level, we have two Global Protect App Settings / Groups defined. One is default and one is for Contractors. Contractors who connect to Global Protect get assigned slightly different settings for a number of reasons.</P> <P>&nbsp;</P> <P>Right now the HIP Check Profile is globally assigned. Ideally, we'd like to create a tighter HIP check for the Default group since we have more control over those systems w/o impacting the other groups.</P> <P>&nbsp;</P> <P>Any ideas or is this just a limitation with Prisma Access / Global Protect?</P> Thu, 29 Feb 2024 17:51:15 GMT KevinPawloski 2024-02-29T17:51:15Z https://live.paloaltonetworks.com/t5/prisma-access-discussions/applying-different-hip-checks-to-different-global-protect-app/m-p/578877#M703 <P>Hello,</P> <P>&nbsp;</P> <P>We're trying to figure out if there's a way to have different HIP Profiles attached to different Global Protect App groups. At the highest level, we have two Global Protect App Settings / Groups defined. One is default and one is for Contractors. Contractors who connect to Global Protect get assigned slightly different settings for a number of reasons.</P> <P>&nbsp;</P> <P>Right now the HIP Check Profile is globally assigned. Ideally, we'd like to create a tighter HIP check for the Default group since we have more control over those systems w/o impacting the other groups.</P> <P>&nbsp;</P> <P>Any ideas or is this just a limitation with Prisma Access / Global Protect?</P> Thu, 29 Feb 2024 17:51:15 GMT https://live.paloaltonetworks.com/t5/prisma-access-discussions/applying-different-hip-checks-to-different-global-protect-app/m-p/578877#M703 KevinPawloski 2024-02-29T17:51:15Z https://live.paloaltonetworks.com/t5/prisma-access-discussions/applying-different-hip-checks-to-different-global-protect-app/m-p/578955#M704 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/242531">@KevinPawloski</a> ,</P> <P>&nbsp;</P> <P>HIP Profiles are not attached to GP groups.&nbsp; They are enforced in the security policy.&nbsp; HIP failures do not cause users to disconnect from GP.&nbsp; If the security policy is setup correctly, devices that do not match the profiles will still connect via GP, but cannot access resources except possibly remediation servers.</P> <P>&nbsp;</P> <P>If you have current security policy rules for the GP source zone and contractors, you can add the HIP Profile and the users will not match the rule unless they match the HIP Profile.&nbsp; You can also add the HIP Profile to your default GP rules, and the contractors will not match the "tighter" HIP Profile and not be allowed.</P> <P>&nbsp;</P> <P>For your gateway, you could setup a HIP match notification popup so that different users will get different notices when they match different profiles.&nbsp; If you want a "not match" popup, you would need 2 gateways.&nbsp; Otherwise the contractors would get the not match tight HIP Profile, and the default would get the not match contractor HIP Profile.</P> <P>&nbsp;</P> <P><A href="https://live.paloaltonetworks.com/t5/community-blogs/leveraging-host-information-profile-hip/ba-p/291126" target="_blank" rel="noopener">https://live.paloaltonetworks.com/t5/community-blogs/leveraging-host-information-profile-hip/ba-p/291126</A></P> <P>&nbsp;</P> <P>Thanks,</P> <P>&nbsp;</P> <P>Tom</P> <P>&nbsp;</P> <P>&nbsp;</P> Fri, 15 Mar 2024 19:24:52 GMT https://live.paloaltonetworks.com/t5/prisma-access-discussions/applying-different-hip-checks-to-different-global-protect-app/m-p/578955#M704 TomYoung 2024-03-15T19:24:52Z