Hello,
I'm currently trying to restrict Global Protect users from logging into the Portal or Gateway with unauthorized devices.
In our setup, all devices that are allowed to connect (mobile, laptops, desktops, etc.) are listed in an Active Directory OU (computer account).
I have been unable to find any information on how to configure this restriction in the official documentation or through online resources.
Is it possible to implement this limitation?
Thanks,
I created a restriction of domain membership.
Then you can use the HIP profile in the security rule to only allow traffic if they meet the criteria. Otherwise, they can connect but can't do anything.
Or, you can specify the registry key value for the domain and use it in the Portal config, so they can't get a config (meaning they can't connect) unless they have the domain set.
The domain check is not 100% secure because anyone can set their domain to yours and try to connect.
So depending on your needs, for more security, you could do certificate profiles to check each client cert of the connecting device. This would be under the Authentication tab of the portal and gateway. More info:
https://docs.paloaltonetworks.com/globalprotect/9-1/globalprotect-admin/authentication/set-up-client-certificate-authentication/deploy-machine-certificates-for-authentication