https://live.paloaltonetworks.com/t5/general-topics/hip-profile-for-external-partners/m-p/353076#M87272 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/133520">@FWPalolearner</a>,</P> <P>You can assign a different IP pool within the Gateway's client settings so that a particular group (in your case your external partners) are granted different criteria, including IP Pools for this purpose. That would be a easier and cleaner solution for what you are attempting to do.</P> <P>I'm not actually sure that you need to specify a vendor when you setup the HIP Object, or if not selecting a vendor will allow all identifiable projects to actually count towards the profile? It would be something to check quick when you roll this out.&nbsp;</P> Wed, 30 Sep 2020 18:12:54 GMT BPry 2020-09-30T18:12:54Z https://live.paloaltonetworks.com/t5/general-topics/hip-profile-for-external-partners/m-p/353008#M87268 <P>Hello ;</P><P>We have to setup HIP profile check for&nbsp; Corp users and external partners</P><P>&nbsp;</P><P>Currently we have a common Loopback Interface having a Private IP and we have a tunnel interafce&nbsp;</P><P>&nbsp;</P><P>Both loopback and Tunnel are part of same zone called GP</P><P>&nbsp;</P><P>This is same Cluster on which Portal and gateway are running</P><P>&nbsp;</P><P>In order to assign separate HIP Profiles to Corp users and External - we have to allocate different IP pools to them .</P><P>&nbsp;</P><P>So do we need two GP gateways - with same loopback but different Tunnel interface&nbsp; and both tunnel interface assigned to different zones ?,</P><P>&nbsp;</P><P>and then on two gateways we define the Different IP pools&nbsp; for example 192.168.1.10-192.168.1.150 to corp users in GP Gateway 1 having tunnel interface tunnel.1</P><P>&nbsp;</P><P>and then another pool of 192.168.1.225-192.168.1.240 to external users in GP gateway 2 having tunnel interface tunnel.2</P><P>&nbsp;</P><P>Both gateways have same loopback interface ?</P><P>&nbsp;</P><P>Does this work ??</P><P>&nbsp;</P><P>Because as far as i know , HIP Profiles are allocated to Security Policies&nbsp; so we need to define two Zones</P><P>&nbsp;</P><P>Also Do we have to manualluy define the Antivirus we want to accept , can GP check autonmatically what is acceptable to Palo Alto Database ? Normally in Host check it should check the trusted knwn Antivirus but in GP i believe we have to manually define or restrict it ?</P><P>&nbsp;</P><P>because we have no control over which antivirus our Partners use so everytime if there is a new partner it could lead to problem .?</P><P>&nbsp;</P><P>&nbsp;</P> Wed, 30 Sep 2020 16:28:42 GMT https://live.paloaltonetworks.com/t5/general-topics/hip-profile-for-external-partners/m-p/353008#M87268 FWPalolearner 2020-09-30T16:28:42Z https://live.paloaltonetworks.com/t5/general-topics/hip-profile-for-external-partners/m-p/353076#M87272 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/133520">@FWPalolearner</a>,</P> <P>You can assign a different IP pool within the Gateway's client settings so that a particular group (in your case your external partners) are granted different criteria, including IP Pools for this purpose. That would be a easier and cleaner solution for what you are attempting to do.</P> <P>I'm not actually sure that you need to specify a vendor when you setup the HIP Object, or if not selecting a vendor will allow all identifiable projects to actually count towards the profile? It would be something to check quick when you roll this out.&nbsp;</P> Wed, 30 Sep 2020 18:12:54 GMT https://live.paloaltonetworks.com/t5/general-topics/hip-profile-for-external-partners/m-p/353076#M87272 BPry 2020-09-30T18:12:54Z https://live.paloaltonetworks.com/t5/general-topics/hip-profile-for-external-partners/m-p/353102#M87279 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/43480">@BPry</a>&nbsp;</P><P>&nbsp;</P><P>Thanks .</P><P>&nbsp;</P><P>We have lot of external partners and we want to enable Hip profile with an antivirus check.</P><P>&nbsp;</P><P>Palo Alto has a predefined list of 3 rd party av vendors.</P><P>&nbsp;</P><P>So this mean I have to ask all my partner's beforehand what av they use.</P><P>&nbsp;</P><P>If I dont&nbsp; select any specific vendor ,it should check from its own predefined list . Well this is what I used to have with pulse secure host checker.</P><P>&nbsp;</P><P>Even I have no practical experience on Hip but this is a requirement for customer and I currently have no demo system to check</P><P>&nbsp;</P><P>&nbsp;</P> Wed, 30 Sep 2020 19:11:13 GMT https://live.paloaltonetworks.com/t5/general-topics/hip-profile-for-external-partners/m-p/353102#M87279 FWPalolearner 2020-09-30T19:11:13Z https://live.paloaltonetworks.com/t5/general-topics/hip-profile-for-external-partners/m-p/353157#M87292 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/133520">@FWPalolearner</a>,</P> <P>You can always create a HIP object without actually using it within a HIP Profile assigned to any access requirements for testing purposes. You can verify via the firewall's HIP Match logs that the object is matching as expected before actually making it a requirement. I'd advise that this be followed for&nbsp;<EM>any&nbsp;</EM>new object you create to make sure that you won't accidentally break anything.</P> <P>I'm fairly confident that you can leave out any specified vendor and the firewall will check it's entire vendor/product list when analyzing the HIP condition, but I can verify that if I remember later this evening.&nbsp;</P> Wed, 30 Sep 2020 22:39:00 GMT https://live.paloaltonetworks.com/t5/general-topics/hip-profile-for-external-partners/m-p/353157#M87292 BPry 2020-09-30T22:39:00Z https://live.paloaltonetworks.com/t5/general-topics/hip-profile-for-external-partners/m-p/353158#M87293 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/43480">@BPry</a>&nbsp; Thanks a lot as always .</P><P>&nbsp;</P><P>I will also try if i can find some demo VM to test meanwhile</P> Wed, 30 Sep 2020 22:41:15 GMT https://live.paloaltonetworks.com/t5/general-topics/hip-profile-for-external-partners/m-p/353158#M87293 FWPalolearner 2020-09-30T22:41:15Z https://live.paloaltonetworks.com/t5/general-topics/hip-profile-for-external-partners/m-p/353159#M87294 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/133520">@FWPalolearner</a>,</P> <P>Just went through and verified that you&nbsp;<STRONG>don't&nbsp;</STRONG>need to select the actual vendor or product when you configure an anti-malware HIP object. That will default to the firewall simply checking the requirements that you have selected regardless of vendor and the hip object matches as expected.</P> Wed, 30 Sep 2020 23:10:32 GMT https://live.paloaltonetworks.com/t5/general-topics/hip-profile-for-external-partners/m-p/353159#M87294 BPry 2020-09-30T23:10:32Z https://live.paloaltonetworks.com/t5/general-topics/hip-profile-for-external-partners/m-p/353162#M87295 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/43480">@BPry</a>&nbsp; wow .thanks a lot . Antimalware check will make life easy to.convince the customer for UAT .</P><P>&nbsp;</P><P>Thanks again.cheers</P> Wed, 30 Sep 2020 23:42:12 GMT https://live.paloaltonetworks.com/t5/general-topics/hip-profile-for-external-partners/m-p/353162#M87295 FWPalolearner 2020-09-30T23:42:12Z