In my previous article, "GlobalProtect: Expanded Setup," we covered the expanded setup of GlobalProtect, which included multiple authentication types, as well as the creation of an internal gateway.
In this post, we are going to modify security policy matching based on user identity and device context provided via the GlobalProtect app. We will also enable notifications to the end user based on compliance of the endpoint. You can see a diagram of the environment here.
The value in leveraging user identity and device context in security policy along with end user notifications allow for greater visibility as well as more granular control over what users can access. This same methodology is applicable regardless of user location, and best practices dictate that they should be leveraged wherever possible. If a user is outside of what is required in order to access resources, they can be notified or mapped to a different rule to provide the minimum level of access required in order to become compliant.
NOTE:This article assumes that you have already followed the previous articles in this series.
Part III - User/Device Context and Compliance
Navigate toObjects > GlobalProtect > HIP Objects > Add to create one or more test objects that are applicable to your environment
Name theHIP Object and enable, checking for something specific to your environment. In my case, I run Cortex XDR Prevent on my workstations, and I will be also testing via an iPhone, so I will create two objects calledAV andiPhone.
HIP Object - General Tab - AV
HIP Object - Anti-Malware Tab
HIP Object - General Tab - iPhone
Navigate toObjects > GlobalProtect > HIP Profiles > Add to create a profile that references both of the previously created objects
NOTE: In the screenshot below, the profile will match based on either of the previously created objects
HIP Profile - Compliant HIP Profile
Navigate toNetwork > GlobalProtect > Gateways > open each of the existing gateways> Agent > HIP Notification > Add
Select theHost Information profile that was previously created
On theMatch Message tab
Check the Enable box
Enter a message
On theNot Match Message tab
Check theEnable box
Enter a message
HIP Notification - Compliant HIP Profile - Match Message
HIP Notification - Compliant HIP Profile - Not Match Message
Navigate toPolicies > Security to create rules based on user group and device context
As shown below, we are adding a user group and HIP profile as match criteria
Security Policies - Add User Group and HIP Profile
Commit the configuration
You should now be able to log into GlobalProtect and see a message similar to the following:
GlobalProtect - Home Internal Gateway Compliant
You should also be able to see rule matches via theTraffic logs.