How can i apply different HIP Policy for external users?

Showing results for 
Show  only  | Search instead for 
Did you mean: 

How can i apply different HIP Policy for external users?

L0 Member

Hello Dear Community,

I have 2 SSL VPN rules assigned to my username in Palo Alto firewall. For testing purposes, I added a HIP profile to only one of them. The device I tested does not comply with the HIP profile.

The VPN connection is notifyed as failed. The rule to which I applied the HIP Profile is not working because the computer I'm using does not comply with the HIP profile.
That's OK

I believe that the VPN connection should not be established since the computer does not comply with the HIP profile.


When I did some research, they told me that I should apply the HIP profile to the SSLVPN WAN rule. However, it's not possible for me to apply the same policy to consultants/external users. What should I do exactly here?

Do I need a new VPN Gateway? Or should I add a new WAN rule and apply HIP to it? Please enlighten me in simple terms.


Cyber Elite
Cyber Elite


If you wanted to use a HIP Profile on one of your security entries for corporate users and not for consultant or external users, you would simply build the security entry targeting the specific group of users. So as an example of all internal users were in a group called 'Internal-Users' and everyone else was in a group called 'Consultants', you would simply build a rule for each group. In the 'Internal-Users' group you would include the HIP-profile that you wish to target so that anyone matching that HIP profile hits the rule in question. Then with the 'Consultants' group you would simply not include that HIP-profile as match criteria.



It has become even more complex.
I have 5 groups: software, dba, external, internal, etc...
I can create a lot of HIP profiles, that's not a problem, but I'm stuck on how to apply them targeting these groups. This part is currently confusing me.
GP > GW > agent > client settings, here I have 5 user types and integration with Office 365 for login authentication. Can I apply it from here? It's possible? I guess no.

Can I only add them from the device section within the firewall access rules? Is there any other option? I'm using version 11.

Company's computer feature: joined domain, company av, company dlp, generic hostname External comp. they have not same feature, you know..

What's is your advice now?
thanks for your interest

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!