GlobalProtect HIPS

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

GlobalProtect HIPS

L3 Networker

Apologies for new guy question.

I've been asked to set up GlobalProtect VPN with MFA and a HIPS check.  For example if there isn't a particular brand of AV the client is rejected.  My question (well, one of my thousand) is I don't understand how HIPS ties to the GlobalProtect connection.  I don't see anywhere in the setup where it says, "Use this HIP Profile for this Portal and if it doesn't match display this message".  I understand that is a pretty simplistic version of what I'm looking for, but hopefully someone gets what I'm saying.

 

Thanks in advance for your time.

2 accepted solutions

Accepted Solutions

Cyber Elite
Cyber Elite

Good Day!

 

You are pretty close in your logical thinking, but it is the GP Gateway that looks at the HIP profile, not the Portal.

When you create the Gateway ==> Agent Tab ==> HIP Notification.

 

This is where you ask the gateway to compare your HIP objects/profiles to what is being presented by the user, and determine if a person should connect or not.

 

What other questions do you have?

 

 

Please help out other users and “Accept as Solution” if a post helps solve your problem !

View solution in original post

Howdy again!!

 

So... 

 

GlobalProtect > Gateways > Agent > Client IP Pool   = 1 pool for ALL users. Plus!!!! this web pool.

GlobalProtect > Gateways > Agent > Client Settings > Configs > IP Pools tab  = a different pool per group or however.

 

Example... BAD... you have a mix of employees, vendors, and suppliers that need access... if you use Client Pool, everyone has same IP subnet, and kind of hard to control/manager.

 

Better would be Client Settings (and have 3 profiles)

profile 1. Employees (Subnet A)

profile 2. Vendors

profile 3. Suppliers

 

just a general example.

 

In testing... I have seen IT ppl create a profile for themselves only, so that they can get the same subnet/IP everytime they log in. Then make rules allowing that specific subnet/IP access to networking/mgmt vlan, or whatever....

 

 

Please help out other users and “Accept as Solution” if a post helps solve your problem !

View solution in original post

4 REPLIES 4

Cyber Elite
Cyber Elite

Good Day!

 

You are pretty close in your logical thinking, but it is the GP Gateway that looks at the HIP profile, not the Portal.

When you create the Gateway ==> Agent Tab ==> HIP Notification.

 

This is where you ask the gateway to compare your HIP objects/profiles to what is being presented by the user, and determine if a person should connect or not.

 

What other questions do you have?

 

 

Please help out other users and “Accept as Solution” if a post helps solve your problem !

Hi Steve -

Dead on!  The Host Information dropdown is the spot.

 

I'm a little confused about the difference between GlobalProtect > Gateways > Agent > Client Settings > Configs > IP Pools tab and GlobalProtect > Gateways > Agent > Client IP Pool

 

I'm guessing that if a vendor isn't listed in say Anti-Malware for example, I'll have to do a workaround with a Custom check?

Howdy again!!

 

So... 

 

GlobalProtect > Gateways > Agent > Client IP Pool   = 1 pool for ALL users. Plus!!!! this web pool.

GlobalProtect > Gateways > Agent > Client Settings > Configs > IP Pools tab  = a different pool per group or however.

 

Example... BAD... you have a mix of employees, vendors, and suppliers that need access... if you use Client Pool, everyone has same IP subnet, and kind of hard to control/manager.

 

Better would be Client Settings (and have 3 profiles)

profile 1. Employees (Subnet A)

profile 2. Vendors

profile 3. Suppliers

 

just a general example.

 

In testing... I have seen IT ppl create a profile for themselves only, so that they can get the same subnet/IP everytime they log in. Then make rules allowing that specific subnet/IP access to networking/mgmt vlan, or whatever....

 

 

Please help out other users and “Accept as Solution” if a post helps solve your problem !

Just so I'm clear, you'd have three different subnets in your example?

Better would be Client Settings (and have 3 profiles)

profile 1. Employees (Subnet A)

profile 2. Vendors (Subnet B)

profile 3. Suppliers (Subnet C)

 

Correct?

 

I can't thank you enough for clearing some of this up for me.  I'm sure I'll be posting more here as soon as I actually start to go though the process.

  • 2 accepted solutions
  • 3915 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!