03-13-2024 08:40 AM
Hi,
I am looking at how to assign different IP Pool addresses to clients based on a HIPS check.
We are currently achieving this by assigning a different IP Pool to users based on user group membership of an Active Directory group. When the client authenticates with the Gateway, it receives a Pre-logon IP Address - lets call this an IP Address in Pool A. We want the majority of the client machines to have an IP Address in Pool A, so when the user logs into their client, they continue to use that same IP Address.
The clients that we want to have an IP Address in Pool B, initially receive an IP Address in Pool A as it is received in the pre-logon phase. When the user logs in, the Gateway configuration evaluates AD group membership and will assign an IP Address in Pool B as long as the PANGPS service is restarted and the client reauthenticates with the Gateway. This is somewhat convoluted but works.
I'd now like to change the way this has been implemented to use HIPS so that the client, depending on the HIPS check will either receive an IP address from Pool A or from Pool B at the pre-logon stage. From what I've been reading it looks like I would do the following:
Is it then possible to use the HIPS configuration as the selection criteria to allocate an IP Address from IP Pool B? In the Gateway configuration for the agent, the only selection criteria options are based on Source User, OS, Source Address or IP Address. It doesn't appear to be obvious how to use the HIPS profile as a selection criteria to allocate an IP Pool.
Any suggestions would be appreciated.
Thanks,
Ben
03-14-2024 07:05 PM
Hi @BenBrazil ,
As you mentioned, HIP is not available under the gateway Config Selection Criteria. The bigger question is "What do you want to use the different IP pools to accomplish?" If those different pools will be used in different security policy rules, then use the HIP Profiles in the rules instead of the IP pools.
Thanks,
Tom
03-18-2024 02:31 AM
Thanks Tom,
The design around the different IP Pool is to prevent access to resources. Agreed, this could be accomplished by a HIPS profile and deny access on policies.
I found a similar post where a suggestion was to create a new Gateway and use the portal to direct the client to the new gateway. The Portal allows for a custom check which could look for a registry key and therefore achieve a similar result to a HIPS check.
Is this a reasonable approach?
Thanks,
Ben
03-18-2024 06:05 AM
Hi @BenBrazil ,
That could be a reasonable approach. How would you "direct the client to the new gateway"?
Using IP pools for security policy is a very common approach with many vendors. It generally involves 3 steps:
With User-ID and Device-ID, you can use the attribute (user, group, or HIP Profile) directly in the security policy and skip step 2. This allows for the security policy to be more readable (without comments) as long as the user/group/HIP Profiles are well named, e.g. HR has access to ___ or non-corporate devices have access to ___.
You could also create objects for you IP Pools and give them good names to accomplish the same purpose, but skipping step 2 makes for a little less complicated approach. BTW, you need a GlobalProtect license for HIP checks.
Thanks,
Tom
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
