02-29-2024 09:51 AM
Hello,
We're trying to figure out if there's a way to have different HIP Profiles attached to different Global Protect App groups. At the highest level, we have two Global Protect App Settings / Groups defined. One is default and one is for Contractors. Contractors who connect to Global Protect get assigned slightly different settings for a number of reasons.
Right now the HIP Check Profile is globally assigned. Ideally, we'd like to create a tighter HIP check for the Default group since we have more control over those systems w/o impacting the other groups.
Any ideas or is this just a limitation with Prisma Access / Global Protect?
02-29-2024 06:26 PM - edited 03-15-2024 12:24 PM
Hi @KevinPawloski ,
HIP Profiles are not attached to GP groups. They are enforced in the security policy. HIP failures do not cause users to disconnect from GP. If the security policy is setup correctly, devices that do not match the profiles will still connect via GP, but cannot access resources except possibly remediation servers.
If you have current security policy rules for the GP source zone and contractors, you can add the HIP Profile and the users will not match the rule unless they match the HIP Profile. You can also add the HIP Profile to your default GP rules, and the contractors will not match the "tighter" HIP Profile and not be allowed.
For your gateway, you could setup a HIP match notification popup so that different users will get different notices when they match different profiles. If you want a "not match" popup, you would need 2 gateways. Otherwise the contractors would get the not match tight HIP Profile, and the default would get the not match contractor HIP Profile.
Thanks,
Tom
02-29-2024 06:26 PM - edited 03-15-2024 12:24 PM
Hi @KevinPawloski ,
HIP Profiles are not attached to GP groups. They are enforced in the security policy. HIP failures do not cause users to disconnect from GP. If the security policy is setup correctly, devices that do not match the profiles will still connect via GP, but cannot access resources except possibly remediation servers.
If you have current security policy rules for the GP source zone and contractors, you can add the HIP Profile and the users will not match the rule unless they match the HIP Profile. You can also add the HIP Profile to your default GP rules, and the contractors will not match the "tighter" HIP Profile and not be allowed.
For your gateway, you could setup a HIP match notification popup so that different users will get different notices when they match different profiles. If you want a "not match" popup, you would need 2 gateways. Otherwise the contractors would get the not match tight HIP Profile, and the default would get the not match contractor HIP Profile.
Thanks,
Tom
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
