Can Host Information Profile (HIP) be used to allow/block the GlobalProtect VPN connection?

Can Host Information Profile (HIP) be used to allow/block the GlobalProtect VPN connection?

8528
Created On 02/08/24 01:35 AM - Last Modified 04/19/24 20:22 PM


Question


Can HIP be used to allow/block the GlobalProtect VPN connection?

Environment


  • Palo Alto Firewalls
  • Supported PAN-OS
  • GlobalProtect Portal 
  • GlobalProtect Gateway
  • GlobalProtect App
  • Prisma Access Mobile Users

Answer


  1. HIP match itself cannot be used to block/allow the Gateway and Portal connection itself.
  2. The  Host Information Profile (HIP) match isn’t a prerequisite for a successful GlobalProtect portal and gateway tunnel connection.
  3. A HIP report is sent only after the tunnel has been established.
  4. HIP matches are only relevant for further policy matching.
  5. For example, if HIP is used in the security policy, the security policy can allow/block the connection for internal and external resources based on the configured security policy.

Additional Information


There are other ways to block the GlobalProtect Portal and Gateway connection such as
  • User and Group
  • Certificate Profile
  • Windows Registry Key or MAC plist
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000008X2oCAE&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language