We've configured the PA500 to accept IPAD connections using IPSEC, but is there a way to detect the fact that an Ipad is connected using HIP rules? We would like to only allow traffic to certain systems.
Version PA OS = 4.1.4
Being able to detect iOS via HIP is not currently supported even in the licensed Global Protect version (which actually allows the use of HIP).
You can however tell if an iPhone / iOS device is connected using Global Protect, when you look at
show global-protect current-user
I am not sure where 'native' support sits in the roadmap. With PAN-OS 5.0 one can inject HIP information through the API. Couple that with an MDM vendor and you have a potential solution:
Sourcenet (the people behind the Applipedia and Vulnipedia app in Google Play Store for Palo Alto) seems to have released a new app named "Mobile User-ID Beta 1" which I guess might be something similar as this thread is asking about?
IMPORTANT NOTES: This application will not operate without the necessary back-end software. While the beta test is restricted to a closed user group, please feel free to contact us if you are interested in the product or release date. Make sure you read and agree to the disclaimer prior to downloading the app.
In a nutshell
Mobile User-ID enables customers of Palo Alto Networks to securely connect their Android users to the corporate network if their devices meet a given security compliance policy. User-ID works by identifying a user based on his/her phone number or any device identifier, such as IMSI, IMEI or SIM serial number which is either stored in a MS Active Directory, any other LDAP server or a local list. Once a user has been assigned to a compliant device, the firewall allows access to that user by means of Palo Alto's User-ID Agent using its XML API.
Features of Beta1
- Identify users based on phone number, imsi, imei or sim card serial number
- Leverages MS Active-Directory, any other LDAP server or a local list to assign a user to a device
- Compliance: Detect and block rooted devices
- Compliance: White- or blacklisting of apps
- Compliance: Detect and prohibit SIM card changes
- Compliance: White- or blacklisting of sim serial number, IMSI, IMEI, device model, operating system (version), provider (MNC, MCC), country (MCC) or client version
- Runs as a background process which checks and connects periodically (optimized for low battery consumption) in Android 2.3 or higher
- Communication attempts to the backend server can be limited to occur only when connected to certain wireless networks specified in the policy (SSIDs)
- Optional notification when connected, invisible to users
- Provision user either with the device's WLAN ip address or the ip address seen by the backend server (in case of NAT)
- Device data sent to backend server is encrypted (AES)
- Backend Server (APServer 1.0 or higher)
- PAN Firewall running Panos 4.X or 5.X
- User-ID Agent with open XML API
- Handhelds running Android 2.2 or higher
1. Note that this app is not officially supported by Palo Alto Networks.
2. The term User-ID is used by Palo Alto Networks. This app refers to its technology.
3. This app should be seen as a proof-of-concept in order to make a firewall aware of Android users. While Palo Alto products were used for the sake of its simple API, the software (both, app and backend server) is vendor-independent and could be used with other products as well.
Thanks for the info mikand, but I see that this is only for android users and, what is more important, this app is not officially supported by Palo Alto Networks.
I hope PAN will at some point make possible the detection of an ipad even if we are using its native VPN client.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!