This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

How can i apply different HIP Policy for external users?

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

How can i apply different HIP Policy for external users?

omertaskin
L0 Member

‎09-05-2023 05:05 AM

Hello Dear Community,

I have 2 SSL VPN rules assigned to my username in Palo Alto firewall. For testing purposes, I added a HIP profile to only one of them. The device I tested does not comply with the HIP profile.

The VPN connection is notifyed as failed. The rule to which I applied the HIP Profile is not working because the computer I'm using does not comply with the HIP profile.
That's OK

I believe that the VPN connection should not be established since the computer does not comply with the HIP profile.

 

When I did some research, they told me that I should apply the HIP profile to the SSLVPN WAN rule. However, it's not possible for me to apply the same policy to consultants/external users. What should I do exactly here?

Do I need a new VPN Gateway? Or should I add a new WAN rule and apply HIP to it? Please enlighten me in simple terms.

0 Likes Likes
2 REPLIES 2

BPry
Cyber Elite
Cyber Elite

‎09-05-2023 05:57 AM

@omertaskin,

If you wanted to use a HIP Profile on one of your security entries for corporate users and not for consultant or external users, you would simply build the security entry targeting the specific group of users. So as an example of all internal users were in a group called 'Internal-Users' and everyone else was in a group called 'Consultants', you would simply build a rule for each group. In the 'Internal-Users' group you would include the HIP-profile that you wish to target so that anyone matching that HIP profile hits the rule in question. Then with the 'Consultants' group you would simply not include that HIP-profile as match criteria.

 

 

0 Likes Likes

omertaskin
L0 Member
In response to BPry

‎09-05-2023 10:53 PM

It has become even more complex.
I have 5 groups: software, dba, external, internal, etc...
I can create a lot of HIP profiles, that's not a problem, but I'm stuck on how to apply them targeting these groups. This part is currently confusing me.
GP > GW > agent > client settings, here I have 5 user types and integration with Office 365 for login authentication. Can I apply it from here? It's possible? I guess no.

Can I only add them from the device section within the firewall access rules? Is there any other option? I'm using version 11.

Company's computer feature: joined domain, company av, company dlp, generic hostname External comp. they have not same feature, you know..

What's is your advice now?
thanks for your interest

0 Likes Likes
  • 673 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks