05-21-2021 08:46 AM
Has anyone effectively used HIP to deny login to Prisma Access? One of the biggest challenges we had with AnyConnect (and a large reason we are moving away) is that there were no native methods for controlling which device a user was connecting with.
I have built a Security Pre-Rule that references the Domain-joined HIP Policy, and I can see the matches in our monitor tab. I would like to deny logon to anyone who does not satisfy this rule EXCEPT those who are members of a specific Active Directory user group.
I figure the rules would look something like this:
1) HIP Match on domain = allowed to connect to Portal URL
2) Match on security group membership = allowed to connect to Portal URL
3) Deny all connections to Portal URL.
Can anyone confirm that this would be effective?
08-06-2021 05:33 AM
Have you checked the article below?
For using HIP in the security policy :
08-09-2021 06:06 AM
Also before that make a rule with the correct groups so that you don't match the blocking rule:
How to Add Groups or Users to Security Policy - Knowledge Base - Palo Alto Networks
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!