https://live.paloaltonetworks.com/t5/general-topics/globalprotect-restrict-to-approved-devices/m-p/235808#M67579 <P>Hey Dylan,</P><P>&nbsp;</P><P>Yep, this is totally do-able.</P><P>&nbsp;</P><P>Option one - via the authentication profile.</P><P>Go to Network -&gt; GlobalProtect -&gt; Portals -&gt; {Portal Name} -&gt; Authentication Tab - note the Auth Profile being used.</P><P>&nbsp;</P><P>Then go to Device -&gt; Authentication profiles -&gt; Add the AD group into the auth profiles allow list. Note: this would affect any other services that use this authentication profile like captive portal etc.</P><P>&nbsp;</P><P>Option two - via the portal/gateway agent config</P><P><SPAN>Go to Network -&gt; GlobalProtect -&gt; Portals -&gt; {Portal Name} -&gt; AgentTab</SPAN></P><P><SPAN>Open the config name and go to the User/User Group tab and add the AD group there</SPAN></P><P>&nbsp;</P><P><SPAN>This is presuming you have User-ID and Group Mapping configured, if you haven't, it might be best to start here:</SPAN></P><P>&nbsp;</P><P><SPAN><A href="https://www.paloaltonetworks.com/documentation/81/pan-os/pan-os/user-id/map-ip-addresses-to-users" target="_blank">https://www.paloaltonetworks.com/documentation/81/pan-os/pan-os/user-id/map-ip-addresses-to-users</A></SPAN></P><P>&nbsp;</P><P><SPAN><A href="https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/user-id/map-users-to-groups" target="_blank">https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/user-id/map-users-to-groups</A></SPAN></P><P>&nbsp;</P><P>&nbsp;</P> Wed, 17 Oct 2018 16:10:22 GMT LukeBullimore 2018-10-17T16:10:22Z https://live.paloaltonetworks.com/t5/general-topics/globalprotect-restrict-to-approved-devices/m-p/235794#M67577 <P>Hello,</P><P>&nbsp;</P><P>I am trying to restrict what devices users can log in to GlobalProtect with to only machines that we have given them.&nbsp; Since all of those machines would be domain-joined, I would expect that I can import an AD group that contains those machines and use that as a restriction, but all I can find is how to use an AD group for allowed users (which I am also using).&nbsp; &nbsp;Can I restrict this the way that I want, or is that not possible?</P><P>&nbsp;</P><P>Dylan</P><P>&nbsp;</P> Wed, 17 Oct 2018 16:00:00 GMT https://live.paloaltonetworks.com/t5/general-topics/globalprotect-restrict-to-approved-devices/m-p/235794#M67577 Dylanroehrig 2018-10-17T16:00:00Z https://live.paloaltonetworks.com/t5/general-topics/globalprotect-restrict-to-approved-devices/m-p/235808#M67579 <P>Hey Dylan,</P><P>&nbsp;</P><P>Yep, this is totally do-able.</P><P>&nbsp;</P><P>Option one - via the authentication profile.</P><P>Go to Network -&gt; GlobalProtect -&gt; Portals -&gt; {Portal Name} -&gt; Authentication Tab - note the Auth Profile being used.</P><P>&nbsp;</P><P>Then go to Device -&gt; Authentication profiles -&gt; Add the AD group into the auth profiles allow list. Note: this would affect any other services that use this authentication profile like captive portal etc.</P><P>&nbsp;</P><P>Option two - via the portal/gateway agent config</P><P><SPAN>Go to Network -&gt; GlobalProtect -&gt; Portals -&gt; {Portal Name} -&gt; AgentTab</SPAN></P><P><SPAN>Open the config name and go to the User/User Group tab and add the AD group there</SPAN></P><P>&nbsp;</P><P><SPAN>This is presuming you have User-ID and Group Mapping configured, if you haven't, it might be best to start here:</SPAN></P><P>&nbsp;</P><P><SPAN><A href="https://www.paloaltonetworks.com/documentation/81/pan-os/pan-os/user-id/map-ip-addresses-to-users" target="_blank">https://www.paloaltonetworks.com/documentation/81/pan-os/pan-os/user-id/map-ip-addresses-to-users</A></SPAN></P><P>&nbsp;</P><P><SPAN><A href="https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/user-id/map-users-to-groups" target="_blank">https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/user-id/map-users-to-groups</A></SPAN></P><P>&nbsp;</P><P>&nbsp;</P> Wed, 17 Oct 2018 16:10:22 GMT https://live.paloaltonetworks.com/t5/general-topics/globalprotect-restrict-to-approved-devices/m-p/235808#M67579 LukeBullimore 2018-10-17T16:10:22Z https://live.paloaltonetworks.com/t5/general-topics/globalprotect-restrict-to-approved-devices/m-p/235813#M67584 <P>Thanks for the quick reply.&nbsp; I am currently using an AD group for the users, so I have an AD group of allowed GP users, and that group is in the Auth profile allowed list.&nbsp; You're saying that I can do the same for a group of computers?&nbsp; Everything in the group mapping seemed to be user-centric which is why I didn't think that would work.</P> Wed, 17 Oct 2018 16:19:29 GMT https://live.paloaltonetworks.com/t5/general-topics/globalprotect-restrict-to-approved-devices/m-p/235813#M67584 Dylanroehrig 2018-10-17T16:19:29Z https://live.paloaltonetworks.com/t5/general-topics/globalprotect-restrict-to-approved-devices/m-p/235814#M67585 <P>Ah, I may have misunderstood. You cannot specify computer names in auth profiles or within the user/group config it must either be a user or group.</P><P>&nbsp;</P><P>Since you mentioned all the machines are part of the domain, you could add them all to a new group called vpn then add this VPN group to either the allow list in the auth profile or the portal/agent config like I mentioned. Doing this method option two would be preferred, or otherwise I would make a new authentication profile specific to GlobalProtect; utilising the allow list method.</P> Wed, 17 Oct 2018 16:23:48 GMT https://live.paloaltonetworks.com/t5/general-topics/globalprotect-restrict-to-approved-devices/m-p/235814#M67585 LukeBullimore 2018-10-17T16:23:48Z https://live.paloaltonetworks.com/t5/general-topics/globalprotect-restrict-to-approved-devices/m-p/235847#M67599 <P>I'll give it a shot.&nbsp; What I meant with my user centric comment was that in the group mapping configuration, there are options for user attributes, but not computer (Primary Username for example). Since the computer isn't actually doing the authenticating, I wasn't sure this would work.&nbsp;</P><P>&nbsp;</P><P>I've been looking at this:&nbsp;<A href="https://researchcenter.paloaltonetworks.com/2015/06/byod-makes-you-productive-and-its-also-why-your-nac-deployments-fail/" target="_blank">https://researchcenter.paloaltonetworks.com/2015/06/byod-makes-you-productive-and-its-also-why-your-nac-deployments-fail/</A> which says:&nbsp;<STRONG>GlobalProtect can also be used to perform Host Integrity Posture (HIP) checks&nbsp;</STRONG>which sounds like another way to go. I don't think that i could use the domain membership thing, but maybe something else that would be specific to machines that we provide.&nbsp; My main thing is, I want to prevent personal computers from connecting.</P> Wed, 17 Oct 2018 17:39:24 GMT https://live.paloaltonetworks.com/t5/general-topics/globalprotect-restrict-to-approved-devices/m-p/235847#M67599 Dylanroehrig 2018-10-17T17:39:24Z https://live.paloaltonetworks.com/t5/general-topics/globalprotect-restrict-to-approved-devices/m-p/235944#M67629 <P>We use windows PKI so that only domain members can connect via GP.</P><P>&nbsp;</P><P>you can either place the certificate in the user store for user auth or in the machine store for device auth.</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 18 Oct 2018 05:27:00 GMT https://live.paloaltonetworks.com/t5/general-topics/globalprotect-restrict-to-approved-devices/m-p/235944#M67629 Mick_Ball 2018-10-18T05:27:00Z https://live.paloaltonetworks.com/t5/general-topics/globalprotect-restrict-to-approved-devices/m-p/236877#M67873 <P>I marked two things correct because the first led me to the second.&nbsp; I ended up using a HIP profile.&nbsp;&nbsp;</P><P>&nbsp;</P><P>1 - created a HIP Object where on the general tab the Host Info "domain" is our domain</P><P>2 - Created a HIP Profile that just contained the new HIP object</P><P>3 - on my Security Policies from the GlobalProtect Zone, I put that matching the HIP Profile was a requirement from the source zone</P> Wed, 24 Oct 2018 17:45:42 GMT https://live.paloaltonetworks.com/t5/general-topics/globalprotect-restrict-to-approved-devices/m-p/236877#M67873 Dylanroehrig 2018-10-24T17:45:42Z