Grant access to device with specific installed applications and captive portal for others

Reply
informatiq
L1 Bithead

Grant access to device with specific installed applications and captive portal for others

Hello,

 

I would like to know if it was possible, and how, to grant access in the internal network (wired and wi-fi), on the basis of the presence of an application.

 

In fact, I want to allow access to devices where spécific applications are installed, and redirect others to a captive portal for identification.

 

Have you got any information tu set up this solution ?

 

Thank you in advance for your help.

 

 


Accepted Solutions
reaper
L7 Applicator

by default Captive Portal only triggers for unidentified users

you can't enable HIP profiles for Captive portal, HIP is only supported on GlobalProtect

 

I'd suggest you focus on one aspect at a time and add more features as you make sure the previous feature works as expected

 

start by setting up captive portal

this should spawn a login page for everyone

next, set up captive portal GlobalProtect and have these users simply be identified, to ensure your GP users are properly identified and everyone else gets served a captive portal login page

next, add hip checks to ensure your GP users have the appropriate software installed and running

 

this step by step will considerably simplify your efforts to make things work as expected

 

 

::edited::

Tom Piens - PANgurus.com
Like my answer? check out my book! amazon.com/dp/1789956374

View solution in original post


All Replies
bradk14
L3 Networker

I'd love to be wrong, but I don't believe so. Being able to detect what's installed on a local machine would require a client of some sort installed on the client (at the very least, a java applet) to be able to scan for a local file/registry key and report back to the firewall.

 

there may be a clumsy, awkward workaround possible using the API and/or EDLs if you can get the detection/reporting component working, through possibly another management client running on the desktop.

informatiq
L1 Bithead

Hello,

 

Do you think that we could use the Globalprotect client to detect applications ?

 

Globalprotect can do that for VPN client, but I don't know if it works for wired or Wi-Fi access. 

santonic
L5 Sessionator

GP client can detect which applications users have installed when connecting to GP gateway. So you could make this work with internal GP gateway maybe.

 

PA FW can filter traffic based on applications passing through the firewall, but can't make decisioins based on applications installed on client.

 

What you are looking for is usually part of NAC solution (allowing clients netwrok access based on their posture).

 

 

reaper
L7 Applicator

Hi

 

For your installed users GlobalProtect could provide HIP checks that allow you to check if certain applications are installed/running and will perform UserID at the same time

 

You can then simply enable captive portal for the same network, as captive portal will only trigger for non-identified users: anyone without GlobalProtect or the capability of checking if certains applications are installed will be redirected

Tom Piens - PANgurus.com
Like my answer? check out my book! amazon.com/dp/1789956374
informatiq
L1 Bithead

Hi,

 

I try your solution, but I have problems.

 

I follow this tutorial : https://www.paloaltonetworks.com/documentation/61/globalprotect/globalprotect-admin-guide/globalprot...

 

So I made my HIP profile, and I put the (Globalprotect) portal and the (Globalprotect) gateway on my subnet interface.

 

In HIP Match logs I don't see any configuration. So I try to connect myself with the Globalprotect client, and there are HIP match in logs.

Moreover, I don't find options to enable captive portal only for non-identified users.

 

I also try to make a captive portal without Globalprotect (Device>User Identification and Policies>Captive Portal). But I can't make a rule to use HIP profile.

 

Can you help me on these points?

 

(The PAN-OS version is 7.1.7)

 

 

reaper
L7 Applicator

by default Captive Portal only triggers for unidentified users

you can't enable HIP profiles for Captive portal, HIP is only supported on GlobalProtect

 

I'd suggest you focus on one aspect at a time and add more features as you make sure the previous feature works as expected

 

start by setting up captive portal

this should spawn a login page for everyone

next, set up captive portal GlobalProtect and have these users simply be identified, to ensure your GP users are properly identified and everyone else gets served a captive portal login page

next, add hip checks to ensure your GP users have the appropriate software installed and running

 

this step by step will considerably simplify your efforts to make things work as expected

 

 

::edited::

Tom Piens - PANgurus.com
Like my answer? check out my book! amazon.com/dp/1789956374

View solution in original post

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!