Grant access to device with specific installed applications and captive portal for others

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Grant access to device with specific installed applications and captive portal for others

L1 Bithead

Hello,

 

I would like to know if it was possible, and how, to grant access in the internal network (wired and wi-fi), on the basis of the presence of an application.

 

In fact, I want to allow access to devices where spécific applications are installed, and redirect others to a captive portal for identification.

 

Have you got any information tu set up this solution ?

 

Thank you in advance for your help.

 

 

1 accepted solution

Accepted Solutions

by default Captive Portal only triggers for unidentified users

you can't enable HIP profiles for Captive portal, HIP is only supported on GlobalProtect

 

I'd suggest you focus on one aspect at a time and add more features as you make sure the previous feature works as expected

 

start by setting up captive portal

this should spawn a login page for everyone

next, set up captive portal GlobalProtect and have these users simply be identified, to ensure your GP users are properly identified and everyone else gets served a captive portal login page

next, add hip checks to ensure your GP users have the appropriate software installed and running

 

this step by step will considerably simplify your efforts to make things work as expected

 

 

::edited::

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

View solution in original post

6 REPLIES 6

L3 Networker

I'd love to be wrong, but I don't believe so. Being able to detect what's installed on a local machine would require a client of some sort installed on the client (at the very least, a java applet) to be able to scan for a local file/registry key and report back to the firewall.

 

there may be a clumsy, awkward workaround possible using the API and/or EDLs if you can get the detection/reporting component working, through possibly another management client running on the desktop.

Hello,

 

Do you think that we could use the Globalprotect client to detect applications ?

 

Globalprotect can do that for VPN client, but I don't know if it works for wired or Wi-Fi access. 

GP client can detect which applications users have installed when connecting to GP gateway. So you could make this work with internal GP gateway maybe.

 

PA FW can filter traffic based on applications passing through the firewall, but can't make decisioins based on applications installed on client.

 

What you are looking for is usually part of NAC solution (allowing clients netwrok access based on their posture).

 

 

Hi

 

For your installed users GlobalProtect could provide HIP checks that allow you to check if certain applications are installed/running and will perform UserID at the same time

 

You can then simply enable captive portal for the same network, as captive portal will only trigger for non-identified users: anyone without GlobalProtect or the capability of checking if certains applications are installed will be redirected

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Hi,

 

I try your solution, but I have problems.

 

I follow this tutorial : https://www.paloaltonetworks.com/documentation/61/globalprotect/globalprotect-admin-guide/globalprot...

 

So I made my HIP profile, and I put the (Globalprotect) portal and the (Globalprotect) gateway on my subnet interface.

 

In HIP Match logs I don't see any configuration. So I try to connect myself with the Globalprotect client, and there are HIP match in logs.

Moreover, I don't find options to enable captive portal only for non-identified users.

 

I also try to make a captive portal without Globalprotect (Device>User Identification and Policies>Captive Portal). But I can't make a rule to use HIP profile.

 

Can you help me on these points?

 

(The PAN-OS version is 7.1.7)

 

 

by default Captive Portal only triggers for unidentified users

you can't enable HIP profiles for Captive portal, HIP is only supported on GlobalProtect

 

I'd suggest you focus on one aspect at a time and add more features as you make sure the previous feature works as expected

 

start by setting up captive portal

this should spawn a login page for everyone

next, set up captive portal GlobalProtect and have these users simply be identified, to ensure your GP users are properly identified and everyone else gets served a captive portal login page

next, add hip checks to ensure your GP users have the appropriate software installed and running

 

this step by step will considerably simplify your efforts to make things work as expected

 

 

::edited::

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization
  • 1 accepted solution
  • 3648 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!