This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

GlobalProtect HIPS

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

GlobalProtect HIPS

Go to solution
Shawverr
L3 Networker

‎09-03-2019 10:31 AM

Apologies for new guy question.

I've been asked to set up GlobalProtect VPN with MFA and a HIPS check.  For example if there isn't a particular brand of AV the client is rejected.  My question (well, one of my thousand) is I don't understand how HIPS ties to the GlobalProtect connection.  I don't see anywhere in the setup where it says, "Use this HIP Profile for this Portal and if it doesn't match display this message".  I understand that is a pretty simplistic version of what I'm looking for, but hopefully someone gets what I'm saying.

 

Thanks in advance for your time.

0 Likes Likes
2 accepted solutions

Accepted Solutions

Go to solution
S.Cantwell
Cyber Elite
Cyber Elite

‎09-03-2019 11:24 AM

Good Day!

 

You are pretty close in your logical thinking, but it is the GP Gateway that looks at the HIP profile, not the Portal.

When you create the Gateway ==> Agent Tab ==> HIP Notification.

 

This is where you ask the gateway to compare your HIP objects/profiles to what is being presented by the user, and determine if a person should connect or not.

 

What other questions do you have?

 

 

Help the community: Like helpful comments and mark solutions

View solution in original post

Go to solution
S.Cantwell
Cyber Elite
Cyber Elite
In response to Shawverr

‎09-03-2019 12:31 PM

Howdy again!!

 

So... 

 

GlobalProtect > Gateways > Agent > Client IP Pool   = 1 pool for ALL users. Plus!!!! this web pool.

GlobalProtect > Gateways > Agent > Client Settings > Configs > IP Pools tab  = a different pool per group or however.

 

Example... BAD... you have a mix of employees, vendors, and suppliers that need access... if you use Client Pool, everyone has same IP subnet, and kind of hard to control/manager.

 

Better would be Client Settings (and have 3 profiles)

profile 1. Employees (Subnet A)

profile 2. Vendors

profile 3. Suppliers

 

just a general example.

 

In testing... I have seen IT ppl create a profile for themselves only, so that they can get the same subnet/IP everytime they log in. Then make rules allowing that specific subnet/IP access to networking/mgmt vlan, or whatever....

 

 

Help the community: Like helpful comments and mark solutions

View solution in original post

4 REPLIES 4

Go to solution
S.Cantwell
Cyber Elite
Cyber Elite

‎09-03-2019 11:24 AM

Good Day!

 

You are pretty close in your logical thinking, but it is the GP Gateway that looks at the HIP profile, not the Portal.

When you create the Gateway ==> Agent Tab ==> HIP Notification.

 

This is where you ask the gateway to compare your HIP objects/profiles to what is being presented by the user, and determine if a person should connect or not.

 

What other questions do you have?

 

 

Help the community: Like helpful comments and mark solutions

Go to solution
Shawverr
L3 Networker
In response to S.Cantwell

‎09-03-2019 12:19 PM

Hi Steve -

Dead on!  The Host Information dropdown is the spot.

 

I'm a little confused about the difference between GlobalProtect > Gateways > Agent > Client Settings > Configs > IP Pools tab and GlobalProtect > Gateways > Agent > Client IP Pool

 

I'm guessing that if a vendor isn't listed in say Anti-Malware for example, I'll have to do a workaround with a Custom check?

0 Likes Likes

Go to solution
S.Cantwell
Cyber Elite
Cyber Elite
In response to Shawverr

‎09-03-2019 12:31 PM

Howdy again!!

 

So... 

 

GlobalProtect > Gateways > Agent > Client IP Pool   = 1 pool for ALL users. Plus!!!! this web pool.

GlobalProtect > Gateways > Agent > Client Settings > Configs > IP Pools tab  = a different pool per group or however.

 

Example... BAD... you have a mix of employees, vendors, and suppliers that need access... if you use Client Pool, everyone has same IP subnet, and kind of hard to control/manager.

 

Better would be Client Settings (and have 3 profiles)

profile 1. Employees (Subnet A)

profile 2. Vendors

profile 3. Suppliers

 

just a general example.

 

In testing... I have seen IT ppl create a profile for themselves only, so that they can get the same subnet/IP everytime they log in. Then make rules allowing that specific subnet/IP access to networking/mgmt vlan, or whatever....

 

 

Help the community: Like helpful comments and mark solutions

Go to solution
Shawverr
L3 Networker
In response to S.Cantwell

‎09-03-2019 12:40 PM

Just so I'm clear, you'd have three different subnets in your example?

Better would be Client Settings (and have 3 profiles)

profile 1. Employees (Subnet A)

profile 2. Vendors (Subnet B)

profile 3. Suppliers (Subnet C)

 

Correct?

 

I can't thank you enough for clearing some of this up for me.  I'm sure I'll be posting more here as soon as I actually start to go though the process.

0 Likes Likes
  • 2 accepted solutions
  • 3860 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks