HIP profile for external Partners

Announcements

ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

Reply
Highlighted
L2 Linker

HIP profile for external Partners

Hello ;

We have to setup HIP profile check for  Corp users and external partners

 

Currently we have a common Loopback Interface having a Private IP and we have a tunnel interafce 

 

Both loopback and Tunnel are part of same zone called GP

 

This is same Cluster on which Portal and gateway are running

 

In order to assign separate HIP Profiles to Corp users and External - we have to allocate different IP pools to them .

 

So do we need two GP gateways - with same loopback but different Tunnel interface  and both tunnel interface assigned to different zones ?,

 

and then on two gateways we define the Different IP pools  for example 192.168.1.10-192.168.1.150 to corp users in GP Gateway 1 having tunnel interface tunnel.1

 

and then another pool of 192.168.1.225-192.168.1.240 to external users in GP gateway 2 having tunnel interface tunnel.2

 

Both gateways have same loopback interface ?

 

Does this work ??

 

Because as far as i know , HIP Profiles are allocated to Security Policies  so we need to define two Zones

 

Also Do we have to manualluy define the Antivirus we want to accept , can GP check autonmatically what is acceptable to Palo Alto Database ? Normally in Host check it should check the trusted knwn Antivirus but in GP i believe we have to manually define or restrict it ?

 

because we have no control over which antivirus our Partners use so everytime if there is a new partner it could lead to problem .?

 

 


Accepted Solutions
Highlighted
Cyber Elite

@FWPalolearner,

Just went through and verified that you don't need to select the actual vendor or product when you configure an anti-malware HIP object. That will default to the firewall simply checking the requirements that you have selected regardless of vendor and the hip object matches as expected.

View solution in original post


All Replies
Highlighted
Cyber Elite

@FWPalolearner,

You can assign a different IP pool within the Gateway's client settings so that a particular group (in your case your external partners) are granted different criteria, including IP Pools for this purpose. That would be a easier and cleaner solution for what you are attempting to do.

I'm not actually sure that you need to specify a vendor when you setup the HIP Object, or if not selecting a vendor will allow all identifiable projects to actually count towards the profile? It would be something to check quick when you roll this out. 

Highlighted
L2 Linker

Hi @BPry 

 

Thanks .

 

We have lot of external partners and we want to enable Hip profile with an antivirus check.

 

Palo Alto has a predefined list of 3 rd party av vendors.

 

So this mean I have to ask all my partner's beforehand what av they use.

 

If I dont  select any specific vendor ,it should check from its own predefined list . Well this is what I used to have with pulse secure host checker.

 

Even I have no practical experience on Hip but this is a requirement for customer and I currently have no demo system to check

 

 

Highlighted
Cyber Elite

@FWPalolearner,

You can always create a HIP object without actually using it within a HIP Profile assigned to any access requirements for testing purposes. You can verify via the firewall's HIP Match logs that the object is matching as expected before actually making it a requirement. I'd advise that this be followed for any new object you create to make sure that you won't accidentally break anything.

I'm fairly confident that you can leave out any specified vendor and the firewall will check it's entire vendor/product list when analyzing the HIP condition, but I can verify that if I remember later this evening. 

Highlighted
L2 Linker

@BPry  Thanks a lot as always .

 

I will also try if i can find some demo VM to test meanwhile

Highlighted
Cyber Elite

@FWPalolearner,

Just went through and verified that you don't need to select the actual vendor or product when you configure an anti-malware HIP object. That will default to the firewall simply checking the requirements that you have selected regardless of vendor and the hip object matches as expected.

View solution in original post

Highlighted
L2 Linker

@BPry  wow .thanks a lot . Antimalware check will make life easy to.convince the customer for UAT .

 

Thanks again.cheers

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!