HIP profile for external Partners

Showing results for 
Show  only  | Search instead for 
Did you mean: 

HIP profile for external Partners

L4 Transporter

Hello ;

We have to setup HIP profile check for  Corp users and external partners


Currently we have a common Loopback Interface having a Private IP and we have a tunnel interafce 


Both loopback and Tunnel are part of same zone called GP


This is same Cluster on which Portal and gateway are running


In order to assign separate HIP Profiles to Corp users and External - we have to allocate different IP pools to them .


So do we need two GP gateways - with same loopback but different Tunnel interface  and both tunnel interface assigned to different zones ?,


and then on two gateways we define the Different IP pools  for example to corp users in GP Gateway 1 having tunnel interface tunnel.1


and then another pool of to external users in GP gateway 2 having tunnel interface tunnel.2


Both gateways have same loopback interface ?


Does this work ??


Because as far as i know , HIP Profiles are allocated to Security Policies  so we need to define two Zones


Also Do we have to manualluy define the Antivirus we want to accept , can GP check autonmatically what is acceptable to Palo Alto Database ? Normally in Host check it should check the trusted knwn Antivirus but in GP i believe we have to manually define or restrict it ?


because we have no control over which antivirus our Partners use so everytime if there is a new partner it could lead to problem .?




Accepted Solutions


Just went through and verified that you don't need to select the actual vendor or product when you configure an anti-malware HIP object. That will default to the firewall simply checking the requirements that you have selected regardless of vendor and the hip object matches as expected.

View solution in original post


Cyber Elite
Cyber Elite


You can assign a different IP pool within the Gateway's client settings so that a particular group (in your case your external partners) are granted different criteria, including IP Pools for this purpose. That would be a easier and cleaner solution for what you are attempting to do.

I'm not actually sure that you need to specify a vendor when you setup the HIP Object, or if not selecting a vendor will allow all identifiable projects to actually count towards the profile? It would be something to check quick when you roll this out. 

Hi @BPry 


Thanks .


We have lot of external partners and we want to enable Hip profile with an antivirus check.


Palo Alto has a predefined list of 3 rd party av vendors.


So this mean I have to ask all my partner's beforehand what av they use.


If I dont  select any specific vendor ,it should check from its own predefined list . Well this is what I used to have with pulse secure host checker.


Even I have no practical experience on Hip but this is a requirement for customer and I currently have no demo system to check




You can always create a HIP object without actually using it within a HIP Profile assigned to any access requirements for testing purposes. You can verify via the firewall's HIP Match logs that the object is matching as expected before actually making it a requirement. I'd advise that this be followed for any new object you create to make sure that you won't accidentally break anything.

I'm fairly confident that you can leave out any specified vendor and the firewall will check it's entire vendor/product list when analyzing the HIP condition, but I can verify that if I remember later this evening. 

@BPry  Thanks a lot as always .


I will also try if i can find some demo VM to test meanwhile

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!