GlobalProtect restrict to approved devices

Announcements

ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

Reply
Highlighted
L1 Bithead

GlobalProtect restrict to approved devices

Hello,

 

I am trying to restrict what devices users can log in to GlobalProtect with to only machines that we have given them.  Since all of those machines would be domain-joined, I would expect that I can import an AD group that contains those machines and use that as a restriction, but all I can find is how to use an AD group for allowed users (which I am also using).   Can I restrict this the way that I want, or is that not possible?

 

Dylan

 


Accepted Solutions
Highlighted
L5 Sessionator

Hey Dylan,

 

Yep, this is totally do-able.

 

Option one - via the authentication profile.

Go to Network -> GlobalProtect -> Portals -> {Portal Name} -> Authentication Tab - note the Auth Profile being used.

 

Then go to Device -> Authentication profiles -> Add the AD group into the auth profiles allow list. Note: this would affect any other services that use this authentication profile like captive portal etc.

 

Option two - via the portal/gateway agent config

Go to Network -> GlobalProtect -> Portals -> {Portal Name} -> AgentTab

Open the config name and go to the User/User Group tab and add the AD group there

 

This is presuming you have User-ID and Group Mapping configured, if you haven't, it might be best to start here:

 

https://www.paloaltonetworks.com/documentation/81/pan-os/pan-os/user-id/map-ip-addresses-to-users

 

https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/user-id/map-users-to-groups

 

 

View solution in original post

Highlighted
L1 Bithead

I'll give it a shot.  What I meant with my user centric comment was that in the group mapping configuration, there are options for user attributes, but not computer (Primary Username for example). Since the computer isn't actually doing the authenticating, I wasn't sure this would work. 

 

I've been looking at this: https://researchcenter.paloaltonetworks.com/2015/06/byod-makes-you-productive-and-its-also-why-your-... which says: GlobalProtect can also be used to perform Host Integrity Posture (HIP) checks which sounds like another way to go. I don't think that i could use the domain membership thing, but maybe something else that would be specific to machines that we provide.  My main thing is, I want to prevent personal computers from connecting.

View solution in original post


All Replies
Highlighted
L5 Sessionator

Hey Dylan,

 

Yep, this is totally do-able.

 

Option one - via the authentication profile.

Go to Network -> GlobalProtect -> Portals -> {Portal Name} -> Authentication Tab - note the Auth Profile being used.

 

Then go to Device -> Authentication profiles -> Add the AD group into the auth profiles allow list. Note: this would affect any other services that use this authentication profile like captive portal etc.

 

Option two - via the portal/gateway agent config

Go to Network -> GlobalProtect -> Portals -> {Portal Name} -> AgentTab

Open the config name and go to the User/User Group tab and add the AD group there

 

This is presuming you have User-ID and Group Mapping configured, if you haven't, it might be best to start here:

 

https://www.paloaltonetworks.com/documentation/81/pan-os/pan-os/user-id/map-ip-addresses-to-users

 

https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/user-id/map-users-to-groups

 

 

View solution in original post

Highlighted
L1 Bithead

Thanks for the quick reply.  I am currently using an AD group for the users, so I have an AD group of allowed GP users, and that group is in the Auth profile allowed list.  You're saying that I can do the same for a group of computers?  Everything in the group mapping seemed to be user-centric which is why I didn't think that would work.

Highlighted
L5 Sessionator

Ah, I may have misunderstood. You cannot specify computer names in auth profiles or within the user/group config it must either be a user or group.

 

Since you mentioned all the machines are part of the domain, you could add them all to a new group called vpn then add this VPN group to either the allow list in the auth profile or the portal/agent config like I mentioned. Doing this method option two would be preferred, or otherwise I would make a new authentication profile specific to GlobalProtect; utilising the allow list method.

Highlighted
L1 Bithead

I'll give it a shot.  What I meant with my user centric comment was that in the group mapping configuration, there are options for user attributes, but not computer (Primary Username for example). Since the computer isn't actually doing the authenticating, I wasn't sure this would work. 

 

I've been looking at this: https://researchcenter.paloaltonetworks.com/2015/06/byod-makes-you-productive-and-its-also-why-your-... which says: GlobalProtect can also be used to perform Host Integrity Posture (HIP) checks which sounds like another way to go. I don't think that i could use the domain membership thing, but maybe something else that would be specific to machines that we provide.  My main thing is, I want to prevent personal computers from connecting.

View solution in original post

L7 Applicator

We use windows PKI so that only domain members can connect via GP.

 

you can either place the certificate in the user store for user auth or in the machine store for device auth.

 

 

Highlighted
L1 Bithead

I marked two things correct because the first led me to the second.  I ended up using a HIP profile.  

 

1 - created a HIP Object where on the general tab the Host Info "domain" is our domain

2 - Created a HIP Profile that just contained the new HIP object

3 - on my Security Policies from the GlobalProtect Zone, I put that matching the HIP Profile was a requirement from the source zone

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!