Use HIP to deny logon to PA with exception

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Use HIP to deny logon to PA with exception

L0 Member

Has anyone effectively used HIP to deny login to Prisma Access? One of the biggest challenges we had with AnyConnect (and a large reason we are moving away) is that there were no native methods for controlling which device a user was connecting with.


I have built a Security Pre-Rule that references the Domain-joined HIP Policy, and I can see the matches in our monitor tab. I would like to deny logon to anyone who does not satisfy this rule EXCEPT those who are members of a specific Active Directory user group.


I figure the rules would look something like this:

1) HIP Match on domain = allowed to connect to Portal URL

2) Match on security group membership = allowed to connect to Portal URL

3) Deny all connections to Portal URL.


Can anyone confirm that this would be effective?


L3 Networker

L6 Presenter

Also before that make a rule with the correct groups so that you don't match the blocking rule:



How to Add Groups or Users to Security Policy - Knowledge Base - Palo Alto Networks

  • 2 replies
  • 62 Subscriptions
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!