HIP profile for external Partners

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

HIP profile for external Partners

L4 Transporter

Hello ;

We have to setup HIP profile check for  Corp users and external partners

 

Currently we have a common Loopback Interface having a Private IP and we have a tunnel interafce 

 

Both loopback and Tunnel are part of same zone called GP

 

This is same Cluster on which Portal and gateway are running

 

In order to assign separate HIP Profiles to Corp users and External - we have to allocate different IP pools to them .

 

So do we need two GP gateways - with same loopback but different Tunnel interface  and both tunnel interface assigned to different zones ?,

 

and then on two gateways we define the Different IP pools  for example 192.168.1.10-192.168.1.150 to corp users in GP Gateway 1 having tunnel interface tunnel.1

 

and then another pool of 192.168.1.225-192.168.1.240 to external users in GP gateway 2 having tunnel interface tunnel.2

 

Both gateways have same loopback interface ?

 

Does this work ??

 

Because as far as i know , HIP Profiles are allocated to Security Policies  so we need to define two Zones

 

Also Do we have to manualluy define the Antivirus we want to accept , can GP check autonmatically what is acceptable to Palo Alto Database ? Normally in Host check it should check the trusted knwn Antivirus but in GP i believe we have to manually define or restrict it ?

 

because we have no control over which antivirus our Partners use so everytime if there is a new partner it could lead to problem .?

 

 

1 accepted solution

Accepted Solutions

@FWPalolearner,

Just went through and verified that you don't need to select the actual vendor or product when you configure an anti-malware HIP object. That will default to the firewall simply checking the requirements that you have selected regardless of vendor and the hip object matches as expected.

View solution in original post

6 REPLIES 6

Cyber Elite
Cyber Elite

@FWPalolearner,

You can assign a different IP pool within the Gateway's client settings so that a particular group (in your case your external partners) are granted different criteria, including IP Pools for this purpose. That would be a easier and cleaner solution for what you are attempting to do.

I'm not actually sure that you need to specify a vendor when you setup the HIP Object, or if not selecting a vendor will allow all identifiable projects to actually count towards the profile? It would be something to check quick when you roll this out. 

Hi @BPry 

 

Thanks .

 

We have lot of external partners and we want to enable Hip profile with an antivirus check.

 

Palo Alto has a predefined list of 3 rd party av vendors.

 

So this mean I have to ask all my partner's beforehand what av they use.

 

If I dont  select any specific vendor ,it should check from its own predefined list . Well this is what I used to have with pulse secure host checker.

 

Even I have no practical experience on Hip but this is a requirement for customer and I currently have no demo system to check

 

 

@FWPalolearner,

You can always create a HIP object without actually using it within a HIP Profile assigned to any access requirements for testing purposes. You can verify via the firewall's HIP Match logs that the object is matching as expected before actually making it a requirement. I'd advise that this be followed for any new object you create to make sure that you won't accidentally break anything.

I'm fairly confident that you can leave out any specified vendor and the firewall will check it's entire vendor/product list when analyzing the HIP condition, but I can verify that if I remember later this evening. 

@BPry  Thanks a lot as always .

 

I will also try if i can find some demo VM to test meanwhile

@FWPalolearner,

Just went through and verified that you don't need to select the actual vendor or product when you configure an anti-malware HIP object. That will default to the firewall simply checking the requirements that you have selected regardless of vendor and the hip object matches as expected.

@BPry  wow .thanks a lot . Antimalware check will make life easy to.convince the customer for UAT .

 

Thanks again.cheers

  • 1 accepted solution
  • 3895 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!