topic Re: Does anyone use HIP check on the local LAN as a NAC solution? in General Topics

Does anyone use HIP check on the local LAN as a NAC solution?

Maxstr — Tue, 21 Feb 2017 20:57:13 GMT

I understand that a HIP check can be used on the local LAN when the GlobalProtect client connects to the internal gateway.

How effective is this as a NAC solution for the internal LAN?

Without 802.1x authentication, does a machine without GP installed simply bypass the internal gateway (and HIP check)?

Thanks

Re: Does anyone use HIP check on the local LAN as a NAC solution?

BPry — Tue, 21 Feb 2017 22:16:32 GMT

How effective is this as a NAC solution for the internal LAN?

Depneding on how you setup your HIP check it could make a pretty effective 'NAC' enviroment. You could HIP check to make sure that they were within your networks requipments (av current and ran in a timely manner, domain joined), and then setup security policies that wouldn't allow anybody to your different security policies unless they had a named user account.

Without 802.1x authentication, does a machine without GP installed simply bypass the internal gateway (and HIP check)?

You could potentially deny any non-named user access to anything within your network, or outside internet access with ease as long as you setup your security zones with this in mind. Otherwise you could just make it so that your servers/internal resources were in a dedicated 'zone' that the user would not have access to unless they had logged into GlobalProtect and recieved a GP address that had security policies that allowed zone access.

This can, and has been, done. It works well as long as you are aware that, like any NAC solution, you will likely run into occasional issues. It doesn't act as a true 'NAC' as you don't have all of the checks that a traditional NAC would employ to verify that the device was supposed to be on your network. That being said most people don't utilize any of the features in a NAC deployment that couldn't be done with a HIP check and the proper security policies on the firewall. I wouldn't really want to make this change in a working enterprise enviroment though, as switching over to something like this would be a fairly substantial upgrade; NAC has the advantage of being something that you can easily tune and assure management that it's working prior to a full roll-out.

Re: Does anyone use HIP check on the local LAN as a NAC solution?

cdcirexx — Mon, 25 Oct 2021 17:27:17 GMT

Hello

I found this while searching for the same solution we're asked for our cyber compliance checks, is there any docs I can read on this on the PAN support portal

Re: Does anyone use HIP check on the local LAN as a NAC solution?

BPry — Mon, 25 Oct 2021 23:10:41 GMT

@cdcirexx,

https://docs.paloaltonetworks.com/globalprotect/10-0/globalprotect-admin/host-information/configure-hip-based-policy-enforcement.html

https://docs.paloaltonetworks.com/globalprotect/10-0/globalprotect-admin/globalprotect-quick-configs/globalprotect-for-internal-hip-checking-and-user-based-access.html