This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

GlobalProtect: User/Device Context and Compliance

cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 

GlobalProtect: User/Device Context and Compliance

SpencerMitchell
L3 Networker

on ‎04-10-2020 12:06 PM - edited on ‎07-11-2022 08:30 AM by

100% helpful (2/2)

GlobalProtect: User/Device Context and ComplianceGlobalProtect: User/Device Context and Compliance

 

 

In my previous article, "GlobalProtect: Expanded Setup," we covered the expanded setup of GlobalProtect, which included multiple authentication types, as well as the creation of an internal gateway.

 

In this post, we are going to modify security policy matching based on user identity and device context provided via the GlobalProtect app. We will also enable notifications to the end user based on compliance of the endpoint. You can see a diagram of the environment here.

The value in leveraging user identity and device context in security policy along with end user notifications allow for greater visibility as well as more granular control over what users can access. This same methodology is applicable regardless of user location, and best practices dictate that they should be leveraged wherever possible. If a user is outside of what is required in order to access resources, they can be notified or mapped to a different rule to provide the minimum level of access required in order to become compliant.

 

NOTE: This article assumes that you have already followed the previous articles in this series.

 

Part III - User/Device Context and Compliance

  • Navigate to Objects > GlobalProtect > HIP Objects > Add to create one or more test objects that are applicable to your environment
    • Name the HIP Object and enable, checking for something specific to your environment. In my case, I run Cortex XDR Prevent on my workstations, and I will be also testing via an iPhone, so I will create two objects called AV and iPhone.

HIP Object - General Tab - AVHIP Object - General Tab - AV

HIP Object - Anti-Malware TabHIP Object - Anti-Malware Tab

HIP Object - General Tab - iPhoneHIP Object - General Tab - iPhone

  • Navigate to Objects > GlobalProtect > HIP Profiles > Add to create a profile that references both of the previously created objects
    • NOTE: In the screenshot below, the profile will match based on either of the previously created objects

HIP Profile - Compliant HIP ProfileHIP Profile - Compliant HIP Profile

  • Navigate to Network > GlobalProtect > Gateways > open each of the existing gateways > Agent > HIP Notification > Add
    • Select the Host Information profile that was previously created
    • On the Match Message tab
      • Check the Enable box
      • Enter a message
    • On the Not Match Message tab
      • Check the Enable box
      • Enter a message

HIP Notification - Compliant HIP Profile - Match MessageHIP Notification - Compliant HIP Profile - Match Message

HIP Notification - Compliant HIP Profile - Not Match MessageHIP Notification - Compliant HIP Profile - Not Match Message

  • Navigate to Policies > Security to create rules based on user group and device context
    • As shown below, we are adding a user group and HIP profile as match criteria

Security Policies - Add User Group and HIP ProfileSecurity Policies - Add User Group and HIP Profile

  • Commit the configuration
You should now be able to log into GlobalProtect and see a message similar to the following:
GlobalProtect - Home Internal Gateway CompliantGlobalProtect - Home Internal Gateway Compliant
 

You should also be able to see rule matches via the Traffic logs.

 

In my next article, "GlobalProtect: Authentication Policy with MFA," we will configure authentication policy with MFA for both HTTP and non-HTTP access to sensitive resources.

Rate this article:
0.5
1.0
1.5
2.0
2.5
3.0
3.5
4.0
4.5
5.0
0 Likes Likes
Comments
Proton951
L0 Member
‎06-29-2025 03:15 PM

Hi,

Struggling to find any documentation related to user based policy configuration. Yours is the closest I could find.

I managed to setup auth for user following documentation here : https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g0000008U48CAE
but there is no mention of how we can add a user authenticated with SAML profile on security policies there.

How do we manage to add an azure saml authenticated user to security policy?

Is it via Cloud Identity engine + User ID?

Kindly help

SpencerMitchell
L0 Member
‎06-30-2025 09:00 AM

Hello,

 

I like to think of User-ID as synonymous with all things identity. With this in mind, there are two different aspects of User-ID that we need to configure as it relates to traditional GlobalProtect or Prisma Access: authentication and authorization. Think of authentication as what grants the initial login. A user logs in (is authenticated). Think of authorization as what resources are accessible by a user once they are connected (what they are authorized to access). 

 

In the case of Azure, it can be used both for authentication and authorization. You would configure Azure as an iDP for authentication (see here), and use Azure AD for authorization (see here). If you just set up SAML auth, this is not enough to be able to leverage user/group information in security policy. You also have to setup Azure AD in CIE.

 

  • 11284 Views
  • 2 comments
  • 0 Likes
Register or Sign-in
Contributors
Article Dashboard
Version history
Last Updated:
‎07-11-2022 08:30 AM
Updated by:
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2025 - Palo Alto Networks