I'm trying to block unauthorize devices (non-domain machine and not having our approved anti-virus install) to establish a client VPN session into our network via GlobalProtect. The only way right now is to apply HIP check once a VPN connection via GlobalProtect has established to the user traffic. What we see happening with doing HIP check on actual traffic is un-reliable because the GP agent does not report back to the firewall from time to time, afterward, the user traffic get black-hole (deny), but GlobalProtect is still connect. The only way to get out of that is to disconnect and reconnect to GP again. I'm use to on the Cisco ASA able to restrict a user to establish a client VPN session if the host does not match certain criteria (domain check, anti-virus check, patches, etc.).
the Live forum where you posted your request is mainly for Expedition related topics.
Feature requests should be sent to your local Palo Alto Networks account team or with your loal PAN partner to request your feature request.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!