https://live.paloaltonetworks.com/t5/general-topics/allow-internet-only-after-hip-fail/m-p/233366#M66929 <P>to keep it simple could you not just add an allow rule based on HIP fail to allow access to proxies only, followed by your RFC1918 block if still needed... you may only need the first allow...</P> Tue, 02 Oct 2018 14:20:24 GMT Mick_Ball 2018-10-02T14:20:24Z https://live.paloaltonetworks.com/t5/general-topics/allow-internet-only-after-hip-fail/m-p/233264#M66903 <P>We are looking to configure the firewall rules where if a known user fails the HIP check, the user has access to only the internet, and not the intranet.</P><P>&nbsp;</P><P>I currently have the rules configured such that failing the HIP check allows the user to access to both the internet and the intranet. We tried blocking RFC1918 in the destination address field, but this blocks my proxy servers that all outward traffic must go through.&nbsp;</P><P>&nbsp;</P><P>Any ideas?</P> Mon, 01 Oct 2018 23:52:34 GMT https://live.paloaltonetworks.com/t5/general-topics/allow-internet-only-after-hip-fail/m-p/233264#M66903 mikembau 2018-10-01T23:52:34Z https://live.paloaltonetworks.com/t5/general-topics/allow-internet-only-after-hip-fail/m-p/233366#M66929 <P>to keep it simple could you not just add an allow rule based on HIP fail to allow access to proxies only, followed by your RFC1918 block if still needed... you may only need the first allow...</P> Tue, 02 Oct 2018 14:20:24 GMT https://live.paloaltonetworks.com/t5/general-topics/allow-internet-only-after-hip-fail/m-p/233366#M66929 Mick_Ball 2018-10-02T14:20:24Z