GP v2.0.1. Successful authentication is based on a particular AD user group. If the user is not part of the group, he/she would be able to connect. We want to implement this solution for smart devices.. however, how can we control who connects and who doesn't? we don't want a user with a personal device to be able to connect to the portal/gateway. Is there a way to lock this down further? without client certificates. we want to have control on who can connect on their personal device. Some exceptions, but not all users.
Solved! Go to Solution.
You could use HIP for that purpose. Only if the device is "compliant" it is able to connect.For example Insert a hidden registry entry for the devices you want to connect, then check that registry entry with HIP.
Quick and dirty for mobile devices you could configure a hostname and let HIP check for that. With PAN MSM you have more options available for that purpose. With MSM you can check whether a device is managed, if yes allow access.
MSM requires additional Hardware and licensing but you get a complete Mobile Device Management Solution.
MSM is an additional Appliance GP-100 Overview - Palo Alto Networks
Configuring and checking hostnames on your mobile devices does not require MSM.
No, just the common part of the hostname. See my example screenshot above. So every device starts with the common part of the hostname iPhone-7CC53795BECF- the rest of the hostname can be unique.
With HIP your checking hostname with qualifier "Contains" iPhone-7CC53795BECF
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!