- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
We currently have Prisma Access set up and configured and we are in the process of rolling it out to the rest of the organization as a replacement for Citrix. One scenario that has come up has been the question of how we address IT staff and give them an alternate "emergency/break glass" way to log in remotely without having to have a company laptop with them at all times. This question was easily answered with Citrix, you just use the Workspace app and connect to the Netscaler and you're in. The question of how to address this with Prisma/Global Protect also spawned a discussion about BYOD.
Ultimately, what I'd like to do is have a policy in place that when a user connects with a company laptop that is joined to our AD domain, they get a full tunnel with no local LAN access, and all traffic has to traverse Prisma no matter what. If they connect with a non-domain machine (i.e. a personal Windows laptop, a Macbook, an iPad, etc) they get a very specific and restrictive policy that only allows access to specific "jump boxes", and only tunnels the traffic to those destinations over a split tunnel, with all other traffic going out the user's normal network connection
The problem I'm running into is that there does not seem to be a way to apply Tunnel settings based on a HIP check. I know that the "app settings" can be matched based on a HIP check, but you don't set full vs. split tunnel in those settings. I also know that you can match HIP attributes in the security policy, but again that does not allow me to change whether or not Global Protect is using a split or full tunnel. I can sort of fake this by matching different types of users, but I do not want to maintain local accounts for everyone who would be using this functionality just to achieve this. Is there a way to have two different tunnel policies for the same user based on attributes/telemetry from the device they are using to connect rather than the authentication method?
I had considered trying to use the Clientless VPN function to address some of this, but in my testing I could not get it to respect the access restrictions I put on specific user groups or applications so I ended up turning it off again. It's possible I was doing something wrong but it does not look to be a good solution for this use case.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!