03-25-2017 05:36 AM
Hello,
I would like to know if it was possible, and how, to grant access in the internal network (wired and wi-fi), on the basis of the presence of an application.
In fact, I want to allow access to devices where spécific applications are installed, and redirect others to a captive portal for identification.
Have you got any information tu set up this solution ?
Thank you in advance for your help.
04-04-2017 02:41 AM - edited 05-04-2017 06:34 AM
by default Captive Portal only triggers for unidentified users
you can't enable HIP profiles for Captive portal, HIP is only supported on GlobalProtect
I'd suggest you focus on one aspect at a time and add more features as you make sure the previous feature works as expected
start by setting up captive portal
this should spawn a login page for everyone
next, set up captive portal GlobalProtect and have these users simply be identified, to ensure your GP users are properly identified and everyone else gets served a captive portal login page
next, add hip checks to ensure your GP users have the appropriate software installed and running
this step by step will considerably simplify your efforts to make things work as expected
::edited::
03-25-2017 09:52 AM
I'd love to be wrong, but I don't believe so. Being able to detect what's installed on a local machine would require a client of some sort installed on the client (at the very least, a java applet) to be able to scan for a local file/registry key and report back to the firewall.
there may be a clumsy, awkward workaround possible using the API and/or EDLs if you can get the detection/reporting component working, through possibly another management client running on the desktop.
03-27-2017 12:37 AM
Hello,
Do you think that we could use the Globalprotect client to detect applications ?
Globalprotect can do that for VPN client, but I don't know if it works for wired or Wi-Fi access.
03-27-2017 12:51 AM
GP client can detect which applications users have installed when connecting to GP gateway. So you could make this work with internal GP gateway maybe.
PA FW can filter traffic based on applications passing through the firewall, but can't make decisioins based on applications installed on client.
What you are looking for is usually part of NAC solution (allowing clients netwrok access based on their posture).
03-27-2017 12:57 AM
Hi
For your installed users GlobalProtect could provide HIP checks that allow you to check if certain applications are installed/running and will perform UserID at the same time
You can then simply enable captive portal for the same network, as captive portal will only trigger for non-identified users: anyone without GlobalProtect or the capability of checking if certains applications are installed will be redirected
04-04-2017 01:21 AM
Hi,
I try your solution, but I have problems.
I follow this tutorial : https://www.paloaltonetworks.com/documentation/61/globalprotect/globalprotect-admin-guide/globalprot...
So I made my HIP profile, and I put the (Globalprotect) portal and the (Globalprotect) gateway on my subnet interface.
In HIP Match logs I don't see any configuration. So I try to connect myself with the Globalprotect client, and there are HIP match in logs.
Moreover, I don't find options to enable captive portal only for non-identified users.
I also try to make a captive portal without Globalprotect (Device>User Identification and Policies>Captive Portal). But I can't make a rule to use HIP profile.
Can you help me on these points?
(The PAN-OS version is 7.1.7)
04-04-2017 02:41 AM - edited 05-04-2017 06:34 AM
by default Captive Portal only triggers for unidentified users
you can't enable HIP profiles for Captive portal, HIP is only supported on GlobalProtect
I'd suggest you focus on one aspect at a time and add more features as you make sure the previous feature works as expected
start by setting up captive portal
this should spawn a login page for everyone
next, set up captive portal GlobalProtect and have these users simply be identified, to ensure your GP users are properly identified and everyone else gets served a captive portal login page
next, add hip checks to ensure your GP users have the appropriate software installed and running
this step by step will considerably simplify your efforts to make things work as expected
::edited::
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
