09-30-2020 09:28 AM
Hello ;
We have to setup HIP profile check for Corp users and external partners
Currently we have a common Loopback Interface having a Private IP and we have a tunnel interafce
Both loopback and Tunnel are part of same zone called GP
This is same Cluster on which Portal and gateway are running
In order to assign separate HIP Profiles to Corp users and External - we have to allocate different IP pools to them .
So do we need two GP gateways - with same loopback but different Tunnel interface and both tunnel interface assigned to different zones ?,
and then on two gateways we define the Different IP pools for example 192.168.1.10-192.168.1.150 to corp users in GP Gateway 1 having tunnel interface tunnel.1
and then another pool of 192.168.1.225-192.168.1.240 to external users in GP gateway 2 having tunnel interface tunnel.2
Both gateways have same loopback interface ?
Does this work ??
Because as far as i know , HIP Profiles are allocated to Security Policies so we need to define two Zones
Also Do we have to manualluy define the Antivirus we want to accept , can GP check autonmatically what is acceptable to Palo Alto Database ? Normally in Host check it should check the trusted knwn Antivirus but in GP i believe we have to manually define or restrict it ?
because we have no control over which antivirus our Partners use so everytime if there is a new partner it could lead to problem .?
09-30-2020 04:10 PM
Just went through and verified that you don't need to select the actual vendor or product when you configure an anti-malware HIP object. That will default to the firewall simply checking the requirements that you have selected regardless of vendor and the hip object matches as expected.
09-30-2020 11:12 AM
You can assign a different IP pool within the Gateway's client settings so that a particular group (in your case your external partners) are granted different criteria, including IP Pools for this purpose. That would be a easier and cleaner solution for what you are attempting to do.
I'm not actually sure that you need to specify a vendor when you setup the HIP Object, or if not selecting a vendor will allow all identifiable projects to actually count towards the profile? It would be something to check quick when you roll this out.
09-30-2020 12:11 PM
Hi @BPry
Thanks .
We have lot of external partners and we want to enable Hip profile with an antivirus check.
Palo Alto has a predefined list of 3 rd party av vendors.
So this mean I have to ask all my partner's beforehand what av they use.
If I dont select any specific vendor ,it should check from its own predefined list . Well this is what I used to have with pulse secure host checker.
Even I have no practical experience on Hip but this is a requirement for customer and I currently have no demo system to check
09-30-2020 03:39 PM
You can always create a HIP object without actually using it within a HIP Profile assigned to any access requirements for testing purposes. You can verify via the firewall's HIP Match logs that the object is matching as expected before actually making it a requirement. I'd advise that this be followed for any new object you create to make sure that you won't accidentally break anything.
I'm fairly confident that you can leave out any specified vendor and the firewall will check it's entire vendor/product list when analyzing the HIP condition, but I can verify that if I remember later this evening.
09-30-2020 04:10 PM
Just went through and verified that you don't need to select the actual vendor or product when you configure an anti-malware HIP object. That will default to the firewall simply checking the requirements that you have selected regardless of vendor and the hip object matches as expected.
09-30-2020 04:42 PM
@BPry wow .thanks a lot . Antimalware check will make life easy to.convince the customer for UAT .
Thanks again.cheers
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
