https://live.paloaltonetworks.com/t5/general-topics/grant-access-to-device-with-specific-installed-applications-and/m-p/149514#M49800 <P>Hello,</P><P>&nbsp;</P><P>I would like to know if it was possible, and how, to grant&nbsp;access in the internal network (wired and wi-fi), on the basis of the presence of an application.</P><P>&nbsp;</P><P>In fact, I want to allow access to devices where&nbsp;spécific applications are installed, and redirect others to a captive portal for identification.</P><P>&nbsp;</P><P>Have you got any information tu set up this solution ?</P><P>&nbsp;</P><P>Thank you in advance for your help.</P><P>&nbsp;</P><P>&nbsp;</P> Sat, 25 Mar 2017 12:36:48 GMT informatiq 2017-03-25T12:36:48Z https://live.paloaltonetworks.com/t5/general-topics/grant-access-to-device-with-specific-installed-applications-and/m-p/149514#M49800 <P>Hello,</P><P>&nbsp;</P><P>I would like to know if it was possible, and how, to grant&nbsp;access in the internal network (wired and wi-fi), on the basis of the presence of an application.</P><P>&nbsp;</P><P>In fact, I want to allow access to devices where&nbsp;spécific applications are installed, and redirect others to a captive portal for identification.</P><P>&nbsp;</P><P>Have you got any information tu set up this solution ?</P><P>&nbsp;</P><P>Thank you in advance for your help.</P><P>&nbsp;</P><P>&nbsp;</P> Sat, 25 Mar 2017 12:36:48 GMT https://live.paloaltonetworks.com/t5/general-topics/grant-access-to-device-with-specific-installed-applications-and/m-p/149514#M49800 informatiq 2017-03-25T12:36:48Z https://live.paloaltonetworks.com/t5/general-topics/grant-access-to-device-with-specific-installed-applications-and/m-p/149521#M49801 <P>I'd love to be wrong, but I don't believe so. Being able to detect what's installed on a local machine would require a client of some sort installed on the client (at the very least, a java applet) to be able to scan for a local file/registry key and report back to the firewall.</P><P>&nbsp;</P><P>there may be a clumsy, awkward workaround possible using the API and/or EDLs if you can get the detection/reporting component working, through possibly another management client running on the desktop.</P> Sat, 25 Mar 2017 16:52:50 GMT https://live.paloaltonetworks.com/t5/general-topics/grant-access-to-device-with-specific-installed-applications-and/m-p/149521#M49801 bradk14 2017-03-25T16:52:50Z https://live.paloaltonetworks.com/t5/general-topics/grant-access-to-device-with-specific-installed-applications-and/m-p/149599#M49807 <P>Hello,</P><P>&nbsp;</P><P>Do you think that we could use the Globalprotect client to detect applications ?</P><P>&nbsp;</P><P>Globalprotect can do that for VPN client, but I don't know if it works for wired or Wi-Fi access.&nbsp;</P> Mon, 27 Mar 2017 07:37:23 GMT https://live.paloaltonetworks.com/t5/general-topics/grant-access-to-device-with-specific-installed-applications-and/m-p/149599#M49807 informatiq 2017-03-27T07:37:23Z https://live.paloaltonetworks.com/t5/general-topics/grant-access-to-device-with-specific-installed-applications-and/m-p/149601#M49809 <P>GP client can detect which applications users have installed when connecting to GP gateway. So you could make this work with internal GP gateway maybe.</P><P>&nbsp;</P><P>PA FW can filter traffic based on applications passing through the firewall, but can't make decisioins based on applications installed on client.</P><P>&nbsp;</P><P>What you are looking for is usually&nbsp;part of NAC solution (allowing clients netwrok access based on their posture).</P><P>&nbsp;</P><P>&nbsp;</P> Mon, 27 Mar 2017 07:51:40 GMT https://live.paloaltonetworks.com/t5/general-topics/grant-access-to-device-with-specific-installed-applications-and/m-p/149601#M49809 santonic 2017-03-27T07:51:40Z https://live.paloaltonetworks.com/t5/general-topics/grant-access-to-device-with-specific-installed-applications-and/m-p/149604#M49811 <P>Hi</P> <P>&nbsp;</P> <P>For your installed users GlobalProtect could provide HIP checks that allow you to check if certain applications are installed/running and will perform UserID at the same time</P> <P>&nbsp;</P> <P>You can then simply enable captive portal for the same network, as captive portal will only trigger for non-identified users: anyone without GlobalProtect or the capability of checking if certains applications are installed will be redirected</P> Mon, 27 Mar 2017 07:57:20 GMT https://live.paloaltonetworks.com/t5/general-topics/grant-access-to-device-with-specific-installed-applications-and/m-p/149604#M49811 reaper 2017-03-27T07:57:20Z https://live.paloaltonetworks.com/t5/general-topics/grant-access-to-device-with-specific-installed-applications-and/m-p/151022#M50055 <P>Hi,</P><P>&nbsp;</P><P>I try your solution, but I have problems.</P><P>&nbsp;</P><P>I follow this tutorial :&nbsp;<A href="https://www.paloaltonetworks.com/documentation/61/globalprotect/globalprotect-admin-guide/globalprotect-quick-configs/globalprotect-for-internal-hip-checking-and-user-based-access" target="_blank">https://www.paloaltonetworks.com/documentation/61/globalprotect/globalprotect-admin-guide/globalprotect-quick-configs/globalprotect-for-internal-hip-checking-and-user-based-access</A></P><P>&nbsp;</P><P>So I made my HIP profile, and I put the (Globalprotect) portal and the (Globalprotect) gateway on my subnet interface.</P><P>&nbsp;</P><P>In HIP Match logs I don't see any configuration. So I try to connect myself with the Globalprotect client, and there are HIP match in logs.</P><P>Moreover, I don't find options to enable captive portal only for non-identified users.</P><P>&nbsp;</P><P>I also try to make a captive portal without Globalprotect (<EM>Device</EM>&gt;<EM>User Identification</EM> and <EM>Policies</EM>&gt;<EM>Captive Portal</EM>). But I can't make a rule to use HIP profile.</P><P>&nbsp;</P><P>Can you help me on these&nbsp;points?</P><P>&nbsp;</P><P>(The PAN-OS version is 7.1.7)</P><P>&nbsp;</P><P>&nbsp;</P> Tue, 04 Apr 2017 08:21:34 GMT https://live.paloaltonetworks.com/t5/general-topics/grant-access-to-device-with-specific-installed-applications-and/m-p/151022#M50055 informatiq 2017-04-04T08:21:34Z https://live.paloaltonetworks.com/t5/general-topics/grant-access-to-device-with-specific-installed-applications-and/m-p/151027#M50057 <P>by default Captive Portal only triggers for unidentified users</P> <P>you can't enable HIP profiles for Captive portal, HIP is only supported on GlobalProtect</P> <P>&nbsp;</P> <P>I'd suggest you focus on one aspect at a time and add more features as you make sure the previous feature works as expected</P> <P>&nbsp;</P> <P>start by setting up captive portal</P> <P>this should spawn a login page for everyone</P> <P>next, set up <STRIKE>captive portal</STRIKE> GlobalProtect and have these users simply be identified, to ensure your GP users are properly identified and everyone else gets served a captive portal login page</P> <P>next, add hip checks to ensure your GP users have the appropriate software installed and running</P> <P>&nbsp;</P> <P>this step by step will considerably simplify your efforts to make things work as expected</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>::edited::</P> Thu, 04 May 2017 13:34:11 GMT https://live.paloaltonetworks.com/t5/general-topics/grant-access-to-device-with-specific-installed-applications-and/m-p/151027#M50057 reaper 2017-05-04T13:34:11Z