Globalprotect with Cisco ISE

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Globalprotect with Cisco ISE

L2 Linker

we are using PA Globalprotect for Remote VPN users. Currently planning to implement Cisco ISE posture for RVPN clients. 

how can I integrate Globalprotect with Cisco ISE posture module.

7 REPLIES 7

Cyber Elite
Cyber Elite

Thank you @charles07 for posting question.

 

The ultimate answer is no. The Cisco ISE posture module will only work with Cisco AnyConnect client. Unfortunately there is no integration support for 3d party vpn clients. This information is backed by my Cisco SE. You can still use ISE for authentication of Global Protect clients. If posture check by ISE is a must, then you will unfortunately have to go with AnyConnect.

 

Kind Regards

Pavel

Help the community: Like helpful comments and mark solutions.

Cyber Elite
Cyber Elite

Hi @charles07 ,

 

Have you considered using HIP-Based Policy Enforcement?  This is the PANW equivalent of ISE posture.  This feature is integrated with your existing GlobalProtect (GP) clients.  However, it does require a GP license.  GP is easy to integrate with ISE as a RADIUS server.  The easiest solution would be to let the firewall determine HIP compliance and access, but that possibly could be accomplished with ISE using VSAs.

 

https://docs.paloaltonetworks.com/globalprotect/8-1/globalprotect-admin/host-information/configure-h...

 

Regards,

Tom

Help the community: Like helpful comments and mark solutions.

Hi @TomYoung GP HIP profile is not equivalent to ISE posture. Much features with ISE are missing in GP HIP.

Cyber Elite
Cyber Elite

That statement is not supported by facts.  (I'm not saying you don't have any.  You didn't state any.) A HIP object can be configured to check mobile device info/settings/apps, PC patch info, personal firewalls, anti-malware/virus software, disk backup, disk encryption, DLP software, certificates, process checks, registry entries, etc.  What specific features does ISE Posture check that are not included?  I am interested in knowing.  I would like to keep this forum technical.

Help the community: Like helpful comments and mark solutions.

L0 Member

I haven't found a way to check certs with HIP after login. This seems like it should... be something that GP can do via HIP but Palo TAC is not sure how and there is no documentation on how to check for a cert on a pc/mac. If anyone has found a way - please let me know. So far, seems Palo professional services is the only way to get it done since no one bothered to document this in the administration guide.

Cyber Elite
Cyber Elite

Hi @dcawood1 ,

 

Here is where you check certificates with HIP:

 

TomYoung_0-1719000371107.png

 

You could also configure certificate authentication and/or username/password.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

L0 Member

Hi @TomYoung , I have a couple of hip cert checks (issuer&certficate-template-oid) and they match on my laptop. I basically exported the issuing cert for my laptop machine cert from mmc. However, when another test user connects to the test gateway - no cert info is collected from his machine. Any idea what would be causing this and is there another cert I should be using for the cert profile for these hip matches. I haven't found any information yet that would clue me into what I am doing wrong here.

 

Steps taken:

1 - export cert that shows up as the issuing cert for my laptop

2 - import cert to portal/gateway

3 - create cert profile and add imported cert

4 - create hip objects that validate issuer/template criteria 

5 - add cert profile to portal/agent - hip data collection

  • 7576 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!