topic Re: Global Protect on Mobile Devices in General Topics

Global Protect on Mobile Devices

rrau — Wed, 16 Apr 2014 15:23:01 GMT

GP v2.0.1. Successful authentication is based on a particular AD user group. If the user is not part of the group, he/she would be able to connect. We want to implement this solution for smart devices.. however, how can we control who connects and who doesn't? we don't want a user with a personal device to be able to connect to the portal/gateway. Is there a way to lock this down further? without client certificates. we want to have control on who can connect on their personal device. Some exceptions, but not all users.

Re: Global Protect on Mobile Devices

gafrol — Thu, 17 Apr 2014 12:38:15 GMT

You could use HIP for that purpose. Only if the device is "compliant" it is able to connect.For example Insert a hidden registry entry for the devices you want to connect, then check that registry entry with HIP.

Re: Global Protect on Mobile Devices

rrau — Thu, 17 Apr 2014 17:47:09 GMT

I could do that..however, how could I do that for IOS and Android devices wanting to connect?

Re: Global Protect on Mobile Devices

gafrol — Thu, 17 Apr 2014 19:27:56 GMT

Quick and dirty for mobile devices you could configure a hostname and let HIP check for that. With PAN MSM you have more options available for that purpose. With MSM you can check whether a device is managed, if yes allow access.

MSM requires additional Hardware and licensing but you get a complete Mobile Device Management Solution.

Re: Global Protect on Mobile Devices

rrau — Thu, 17 Apr 2014 19:51:00 GMT

additional HW? currently running 3000 series FW

Re: Global Protect on Mobile Devices

gafrol — Thu, 17 Apr 2014 19:57:09 GMT

MSM is an additional Appliance GP-100 Overview - Palo Alto Networks

Configuring and checking hostnames on your mobile devices does not require MSM.

Re: Global Protect on Mobile Devices

rrau — Thu, 17 Apr 2014 19:59:50 GMT

so I will need to know and then add all hostnames from the smart devices?

Re: Global Protect on Mobile Devices

gafrol — Thu, 17 Apr 2014 20:09:26 GMT

No, just the common part of the hostname. See my example screenshot above. So every device starts with the common part of the hostname iPhone-7CC53795BECF- the rest of the hostname can be unique.

Example: iPhone-7CC53795BECF-Device001

With HIP your checking hostname with qualifier "Contains" iPhone-7CC53795BECF

Re: Global Protect on Mobile Devices

rrau — Thu, 17 Apr 2014 20:12:23 GMT

ok, thanks.. makes sense

Re: Global Protect on Mobile Devices

rrau — Thu, 17 Apr 2014 20:15:36 GMT

this wont affect the laptops/desktops that connect?

Re: Global Protect on Mobile Devices

gafrol — Thu, 17 Apr 2014 20:19:41 GMT

It does not as long as you define the OS in the HIP Object, see screenshot above.