12-17-2020 06:55 AM
I have GlobalProtect portal/gateway configured and working in my environment. External users can connect to the GP portal/gateway and receive network access.
I have set up a HIP profile to check for domain joined and AV updated in the last 3 days. What I'd like to do is have the HIP check run during the initial connection to GP portal/gateway, so basically if HIP check passes, user is allowed to connect to GP, if HIP check fails, user is not allowed to connect to GP.
I do not want to set the HIP check profile for SSLVPN zone on every single firewall rule (we have a huge ruleset). I only want the HIP check enforced on connection to the GP portal/gateway.
I tried applying the HIP check profile to the firewall rule that allows GP connection from WAN, but that did not do the trick.
12-18-2020 04:22 AM
No I don't think this is possible as HIP info is collected and sent after the GW connection is established.
You could add a deny policy at the top of your ruleset to deny all from sslvpn zone if HIP is "Not" a match.
this would save you adding to all other policies but you will then need to move up any policies that you may have that would allow traffic with a no match (If you have any).
12-18-2020 08:20 AM
I understand what you're saying, but trying to figure out how I would design that rule.
Zone- SSLVPN
Source- User, Address- Any
HIP Profile- HIP-Checks
Destination- Zone, User, Address- Any
Action- Deny?
12-18-2020 08:44 AM
OK I will try to keep it simple and us an OS as the example.
what we are trying to achieve is to allow all win10 devices access via the policies.
But we do not want to add this to all of the policies as there is hundreds of them.
so...
objects/hip object add name win10-check general/host info/OS contains msoft windows 10.
then..
objects/hip profiles add name not-win10 match add NOT win10-check
then..
policy add from sslvpn to private hip not-win10 any any any deny
i hope i got that correct as popping out...
so... if you only allow a certain level in, AV etc. then block those that do not meet the requirement with a NOT hip profile.
12-18-2020 09:01 AM
Perfect, this works!!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
