Who rated this post

Who rated this post

MickBall
L7 Applicator

No I don't think this is possible as HIP info is collected and sent after the GW connection is established.

You could add a deny policy at the top of your ruleset to deny all from sslvpn zone  if HIP  is "Not" a match.

this would save you adding to all other policies but you will then need to move up any policies that you may have that would allow traffic with a no match (If you have any). 

Who rated this post