Global Protect HIP Check and AD Computer Account

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Global Protect HIP Check and AD Computer Account

L0 Member

Hello,

 

I'm currently trying to restrict Global Protect users from logging into the Portal or Gateway with unauthorized devices.

 

In our setup, all devices that are allowed to connect (mobile, laptops, desktops, etc.) are listed in an Active Directory OU (computer account).

 

I have been unable to find any information on how to configure this restriction in the official documentation or through online resources.

Is it possible to implement this limitation?

 

Thanks,

2 REPLIES 2

Cyber Elite
Cyber Elite

Hi @BusanaB ,

 

One method you could use is to verify the domain retrieved under host info:

 

TomYoung_0-1689819020181.png

 

If the domain matches the HIP object, then it is a device in the domain.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

L2 Linker

Hi,

The most secure way of checking this I using certificates, checking if the connecting client is using a certificate distributed by your companies PKI.

https://docs.paloaltonetworks.com/globalprotect/9-1/globalprotect-admin/authentication/set-up-client...

You can even deploy separate certificates per device type using extended key usage and check on the specific OID. (Microsot PKI)

On top of the client cert user or machine cert you add SAML/LDAP/RADIUS authentication.

 

Or you can do the check for allowed on you authentication backend RADIUS (NPS/ISE).  But this will not disallow users from connecting to portal and trying to authenticate on it.  Can only be achieved with certificates.  

 

 

  • 2160 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!