03-12-2021 09:50 PM
we are using PA Globalprotect for Remote VPN users. Currently planning to implement Cisco ISE posture for RVPN clients.
how can I integrate Globalprotect with Cisco ISE posture module.
09-13-2021 06:08 AM
Thank you @charles07 for posting question.
The ultimate answer is no. The Cisco ISE posture module will only work with Cisco AnyConnect client. Unfortunately there is no integration support for 3d party vpn clients. This information is backed by my Cisco SE. You can still use ISE for authentication of Global Protect clients. If posture check by ISE is a must, then you will unfortunately have to go with AnyConnect.
Kind Regards
Pavel
09-13-2021 07:30 AM - edited 09-13-2021 07:31 AM
Hi @charles07 ,
Have you considered using HIP-Based Policy Enforcement? This is the PANW equivalent of ISE posture. This feature is integrated with your existing GlobalProtect (GP) clients. However, it does require a GP license. GP is easy to integrate with ISE as a RADIUS server. The easiest solution would be to let the firewall determine HIP compliance and access, but that possibly could be accomplished with ISE using VSAs.
Regards,
Tom
09-14-2021 02:05 AM
Hi @TomYoung GP HIP profile is not equivalent to ISE posture. Much features with ISE are missing in GP HIP.
09-14-2021 06:07 AM - edited 09-14-2021 01:49 PM
That statement is not supported by facts. (I'm not saying you don't have any. You didn't state any.) A HIP object can be configured to check mobile device info/settings/apps, PC patch info, personal firewalls, anti-malware/virus software, disk backup, disk encryption, DLP software, certificates, process checks, registry entries, etc. What specific features does ISE Posture check that are not included? I am interested in knowing. I would like to keep this forum technical.
06-21-2024 07:50 AM
I haven't found a way to check certs with HIP after login. This seems like it should... be something that GP can do via HIP but Palo TAC is not sure how and there is no documentation on how to check for a cert on a pc/mac. If anyone has found a way - please let me know. So far, seems Palo professional services is the only way to get it done since no one bothered to document this in the administration guide.
06-21-2024 01:06 PM
Hi @dcawood1 ,
Here is where you check certificates with HIP:
You could also configure certificate authentication and/or username/password.
Thanks,
Tom
06-21-2024 02:35 PM
Hi @TomYoung , I have a couple of hip cert checks (issuer&certficate-template-oid) and they match on my laptop. I basically exported the issuing cert for my laptop machine cert from mmc. However, when another test user connects to the test gateway - no cert info is collected from his machine. Any idea what would be causing this and is there another cert I should be using for the cert profile for these hip matches. I haven't found any information yet that would clue me into what I am doing wrong here.
Steps taken:
1 - export cert that shows up as the issuing cert for my laptop
2 - import cert to portal/gateway
3 - create cert profile and add imported cert
4 - create hip objects that validate issuer/template criteria
5 - add cert profile to portal/agent - hip data collection
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
