Global Protect on Mobile Devices

Reply
L3 Networker

Global Protect on Mobile Devices

GP v2.0.1.  Successful authentication is based on a particular AD user group.  If the user is not part of the group, he/she would be able to connect.  We want to implement this solution for smart devices.. however, how can we control who connects and who doesn't?  we don't want a user with a personal device to be able to connect to the portal/gateway.  Is there a way to lock this down further?  without client certificates.  we want to have control on who can connect on their personal device.  Some exceptions, but not all users.

L4 Transporter

Re: Global Protect on Mobile Devices

You could use HIP for that purpose. Only if the device is "compliant" it is able to connect.For example Insert a hidden registry entry for the devices you want to connect, then check that registry entry with HIP.

L3 Networker

Re: Global Protect on Mobile Devices

I could do that..however, how could I do that for IOS and Android devices wanting to connect?

L4 Transporter

Re: Global Protect on Mobile Devices

Quick and dirty for mobile devices you could configure a hostname and let HIP check for that. With PAN MSM you have more options available for that purpose. With MSM you can check whether a device is managed, if yes allow access.

Capture.JPG.jpg

Capture.JPG.jpg

MSM requires additional Hardware and licensing but you get a complete Mobile Device Management Solution.

L3 Networker

Re: Global Protect on Mobile Devices

additional HW?  currently running 3000 series FW

L4 Transporter

Re: Global Protect on Mobile Devices

MSM is an additional Appliance GP-100 Overview - Palo Alto Networks

Configuring and checking  hostnames on your mobile devices does not require MSM.

L3 Networker

Re: Global Protect on Mobile Devices

so I will need to know and then add all hostnames from the smart devices?

L4 Transporter

Re: Global Protect on Mobile Devices

No, just the common part of the hostname. See my example screenshot above. So every device starts with the common part of the hostname iPhone-7CC53795BECF- the rest of the hostname can be unique.

Example: iPhone-7CC53795BECF-Device001

With HIP your checking hostname with qualifier "Contains" iPhone-7CC53795BECF

L3 Networker

Re: Global Protect on Mobile Devices

ok, thanks.. makes sense

L3 Networker

Re: Global Protect on Mobile Devices

this wont affect the laptops/desktops that connect?

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!