GlobalProtect: User/Device Context and Compliance

Printer Friendly Page

GlobalProtect: User/Device Context  and ComplianceGlobalProtect: User/Device Context and Compliance

 

 

In my previous article, "GlobalProtect: Expanded Setup," we covered the expanded setup of GlobalProtect, which included multiple authentication types, as well as the creation of an internal gateway.

 

In this post, we are going to modify security policy matching based on user identity and device context provided via the GlobalProtect app. We will also enable notifications to the end user based on compliance of the endpoint. You can see a diagram of the environment here.

The value in leveraging user identity and device context in security policy along with end user notifications allow for greater visibility as well as more granular control over what users can access. This same methodology is applicable regardless of user location, and best practices dictate that they should be leveraged wherever possible. If a user is outside of what is required in order to access resources, they can be notified or mapped to a different rule to provide the minimum level of access required in order to become compliant.

 

NOTE: This article assumes that you have already followed the previous articles in this series.

 

Part III - User/Device Context and Compliance

  • Navigate to Objects > GlobalProtect > HIP Objects > Add to create one or more test objects that are applicable to your environment
    • Name the HIP Object and enable, checking for something specific to your environment. In my case, I run Cortex XDR Prevent on my workstations, and I will be also testing via an iPhone, so I will create two objects called AV and iPhone.

HIP Object - General Tab - AVHIP Object - General Tab - AV

HIP Object - Anti-Malware TabHIP Object - Anti-Malware Tab

HIP Object - General Tab - iPhoneHIP Object - General Tab - iPhone

  • Navigate to Objects > GlobalProtect > HIP Profiles > Add to create a profile that references both of the previously created objects
    • NOTE: In the screenshot below, the profile will match based on either of the previously created objects

HIP Profile - Compliant HIP ProfileHIP Profile - Compliant HIP Profile

  • Navigate to Network > GlobalProtect > Gateways > open each of the existing gateways > Agent > HIP Notification > Add
    • Select the Host Information profile that was previously created
    • On the Match Message tab
      • Check the Enable box
      • Enter a message
    • On the Not Match Message tab
      • Check the Enable box
      • Enter a message

HIP Notification - Compliant HIP Profile - Match MessageHIP Notification - Compliant HIP Profile - Match Message

HIP Notification - Compliant HIP Profile - Not Match MessageHIP Notification - Compliant HIP Profile - Not Match Message

  • Navigate to Policies > Security to create rules based on user group and device context
    • As shown below, we are adding a user group and HIP profile as match criteria

Security Policies - Add User Group and HIP ProfileSecurity Policies - Add User Group and HIP Profile

  • Commit the configuration
You should now be able to log into GlobalProtect and see a message similar to the following:
GlobalProtect - Home Internal Gateway CompliantGlobalProtect - Home Internal Gateway Compliant
 

You should also be able to see rule matches via the Traffic logs.

 

In my next article, "GlobalProtect: Authentication Policy with MFA," we will configure authentication policy with MFA for both HTTP and non-HTTP access to sensitive resources.