GlobalProtect HIP Check when connecting to external gateway

Reply
L1 Bithead

GlobalProtect HIP Check when connecting to external gateway

I have GlobalProtect portal/gateway configured and working in my environment. External users can connect to the GP portal/gateway and receive network access.

 

I have set up a HIP profile to check for domain joined and AV updated in the last 3 days. What I'd like to do is have the HIP check run during the initial connection to GP portal/gateway, so basically if HIP check passes, user is allowed to connect to GP, if HIP check fails, user is not allowed to connect to GP.

 

I do not want to set the HIP check profile for SSLVPN zone on every single firewall rule (we have a huge ruleset). I only want the HIP check enforced on connection to the GP portal/gateway.

 

I tried applying the HIP check profile to the firewall rule that allows GP connection from WAN, but that did not do the trick.

Tags (2)

Accepted Solutions
L7 Applicator


All Replies
L7 Applicator

No I don't think this is possible as HIP info is collected and sent after the GW connection is established.

You could add a deny policy at the top of your ruleset to deny all from sslvpn zone  if HIP  is "Not" a match.

this would save you adding to all other policies but you will then need to move up any policies that you may have that would allow traffic with a no match (If you have any). 

L1 Bithead

I understand what you're saying, but trying to figure out how I would design that rule.

 

Zone- SSLVPN

Source- User, Address- Any

HIP Profile- HIP-Checks

Destination- Zone, User, Address- Any

Action- Deny?

L7 Applicator

OK I will try to keep it simple and us an OS as the example.

 

what we are trying to achieve is to allow all win10  devices access via the policies.

But we do not want to add this to all of the policies as there is hundreds of them.

 

so...   

objects/hip object   add name win10-check     general/host info/OS contains msoft windows 10.

 

then..

 

objects/hip profiles  add  name not-win10    match add NOT  win10-check

 

then..

 

policy add from sslvpn   to private   hip not-win10  any any any deny

 

i hope i got that correct as popping out...

 

so...   if you only allow a certain level in, AV etc. then block those that do not meet the requirement with a NOT hip profile.

 

 

L7 Applicator

L1 Bithead

Perfect, this works!!

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!