Portal Configuration Assignment and HIP-Based Access Control Using New Endpoint Attributes

You can now deploy different configurations for managed endpoints and unmanaged endpoints from a single GlobalProtect portal or gateway.
Software Support: PAN-OS® 9.0 and later releases
You can now deploy different configurations for managed endpoints and unmanaged endpoints from a single GlobalProtect portal or gateway. To identify the managed status of an endpoint, GlobalProtect portals and gateways can use any of the following information:
  • The endpoint’s machine certificate: The GlobalProtect portal and gateway can determine whether an endpoint is managed or unmanaged by verifying that the endpoint's machine certificate matches the certificate profile that you configure for your portal or gateway. For a successful match, the machine certificate must be signed and issued by a CA certificate and (optional) template that you configure in the certificate profile. In addition, the gateway can identify the endpoint status based on the presence of specific attributes in the endpoint's machine certificate.
  • Presence of the endpoint serial number in the Active Directory or Azure AD: The GlobalProtect portal and gateway can determine whether an endpoint is managed or unmanaged by verifying the presence of the endpoint serial number in the Active Directory or Azure AD. If an endpoint is managed, you can bind the serial number of the endpoint to the machine account of the endpoint in your directory server (such as Active Directory). The firewall can then pre-fetch the list of endpoint serial numbers by retrieving group mapping information from the directory server. When a user attempts to establish a GlobalProtect connection, the GlobalProtect app sends the serial number of the connecting endpoint to the portal or gateway to match against the list of serial numbers on the firewall. If the serial number exists, the endpoint is managed. If the serial number does not exist, the endpoint is unmanaged.
  • Specific software and settings that are required for managed endpoints: The GlobalProtect portal and gateway can determine whether an endpoint is managed or unmanaged by verifying the presence of specific software and app settings on the endpoint, as defined in the Windows Registry and macOS plist.
Based on the endpoint attributes, the portal pushes the associated configuration to the endpoint (for example Always On VPN for managed endpoints and Remote Access VPN for unmanaged endpoints) and gateways enforce specific HIP-based security policies for fine-grained access control.
Refer to the following sections for more information on identification and policy enforcement for managed and unmanaged endpoints:

Related Documentation