topic Re: GlobalProtect HIPS in General Topics

GlobalProtect HIPS

Shawverr — Tue, 03 Sep 2019 17:31:05 GMT

Apologies for new guy question.

I've been asked to set up GlobalProtect VPN with MFA and a HIPS check. For example if there isn't a particular brand of AV the client is rejected. My question (well, one of my thousand) is I don't understand how HIPS ties to the GlobalProtect connection. I don't see anywhere in the setup where it says, "Use this HIP Profile for this Portal and if it doesn't match display this message". I understand that is a pretty simplistic version of what I'm looking for, but hopefully someone gets what I'm saying.

Thanks in advance for your time.

Re: GlobalProtect HIPS

S.Cantwell — Tue, 03 Sep 2019 18:24:03 GMT

Good Day!

You are pretty close in your logical thinking, but it is the GP Gateway that looks at the HIP profile, not the Portal.

When you create the Gateway ==> Agent Tab ==> HIP Notification.

This is where you ask the gateway to compare your HIP objects/profiles to what is being presented by the user, and determine if a person should connect or not.

What other questions do you have?

Re: GlobalProtect HIPS

Shawverr — Tue, 03 Sep 2019 19:19:03 GMT

Hi Steve -

Dead on! The Host Information dropdown is the spot.

I'm a little confused about the difference between GlobalProtect > Gateways > Agent > Client Settings > Configs > IP Pools tab and GlobalProtect > Gateways > Agent > Client IP Pool

I'm guessing that if a vendor isn't listed in say Anti-Malware for example, I'll have to do a workaround with a Custom check?

Re: GlobalProtect HIPS

S.Cantwell — Tue, 03 Sep 2019 19:31:45 GMT

Howdy again!!

So...

GlobalProtect > Gateways > Agent > Client IP Pool = 1 pool for ALL users. Plus!!!! this web pool.

GlobalProtect > Gateways > Agent > Client Settings > Configs > IP Pools tab = a different pool per group or however.

Example... BAD... you have a mix of employees, vendors, and suppliers that need access... if you use Client Pool, everyone has same IP subnet, and kind of hard to control/manager.

Better would be Client Settings (and have 3 profiles)

profile 1. Employees (Subnet A)

profile 2. Vendors

profile 3. Suppliers

just a general example.

In testing... I have seen IT ppl create a profile for themselves only, so that they can get the same subnet/IP everytime they log in. Then make rules allowing that specific subnet/IP access to networking/mgmt vlan, or whatever....

Re: GlobalProtect HIPS

Shawverr — Tue, 03 Sep 2019 19:40:21 GMT

Just so I'm clear, you'd have three different subnets in your example?

Better would be Client Settings (and have 3 profiles)

profile 1. Employees (Subnet A)

profile 2. Vendors (Subnet B)

profile 3. Suppliers (Subnet C)

Correct?

I can't thank you enough for clearing some of this up for me. I'm sure I'll be posting more here as soon as I actually start to go though the process.