>
    Redistribute HIP Information with Prisma Access
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma
    3. Prisma Access
    4. Redistribute HIP Information and View HIP Reports
    5. Redistribute HIP Information with Prisma Access
    Download PDF

    Redistribute HIP Information with Prisma Access

    Table of Contents

    Redistribute HIP Information with Prisma Access

    Configure Prisma Access to redistribute HIP reports within your enterprise.
    To ensure consistent Host Information Profile (HIP) policy enforcement and to simplify policy management, you can redistribute HIP information received from mobile users and users at remote networks that use the GlobalProtect app from Prisma Access to other gateways, firewalls, and Panorama appliances in your enterprise, including the Panorama that manages Prisma Access. To do so, you enable and configure HIP redistribution in Prisma Access.

    HIP Redistribution Overview

    When a mobile user whose endpoint has the GlobalProtect app installed connects to Prisma Access, Prisma Access collects the user’s HIP information from the endpoint’s GlobalProtect app, which makes the HIP report available in Prisma Access.
    To use HIP redistribution, users must have the GlobalProtect app installed on their endpoint. While Prisma Access supports Clientless VPN, you cannot redistribute HIP information for Clientless VPN users.
    HIP redistribution is applicable to both mobile users and users at remote networks. However, for users at remote networks, an on-premises gateway must detect that the user is internal to the organization’s network using internal host detection before the on-premises gateway can send HIP information to Prisma Access.
    In Prisma Access, you configure internal host detection when you configure your mobile user deployment.
    To assure consistent policy enforcement, you can use HIP redistribution to allow Prisma Access to distribute users’ HIP information to other Panorama appliances, gateways, firewalls, and virtual systems in your deployment, as well as distribute HIP information from those devices to Prisma Access in some cases. This ability allows you to consistently apply HIP-based policy enforcement for users’ traffic, including policies for internet-bound traffic or for traffic that is accessing an internal application or resource in your organization’s headquarters or data center. Redistributing HIP information to the Panorama appliance also lets you view detailed HIP information for Prisma Access users from that appliance.

    Use Cases for HIP Redistribution

    The following section describes some common Prisma Access deployments where HIP redistribution is useful for consistent policy enforcement and HIP report viewing.
    • HIP redistribution from Prisma Access to a next-generation firewall
      —If you have a next-generation firewall in your organization’s data center or headquarters location, and have configured that firewall with HIP-based security policies, you cannot enforce those policies for Prisma Access mobile users until you redistribute HIP redistribution from Prisma Access to the firewall.
      The following figure shows a mobile user whose endpoint is protected with the GlobalProtect app. The user attempts to access an internal app at an HQ/data center whose access is controlled by a next-generation firewall with HIP-based security policies. When the user logs in to the GlobalProtect app, the app collects HIP information and sends it to Prisma Access; however, Prisma Access does not redistribute this information to the on-premises firewall. Since the firewall does not have the user’s HIP information, it blocks the user’s access to the app.
      HIP redistribution allows you to distribute the mobile users’ HIP information to the on-premises firewall. The firewall can then check the user’s HIP information against its configured security policies and grant the user access to the app.
      To redistribute HIP information from Prisma Access to the firewall, you allow Prisma Access to redistribute HIP information, then
      Add
       a
      User-ID Agent
       (
      Panorama
      User Identification
      User-ID Agents
       for 9.1.
      x
       Panorama appliances or
      Panorama
      Data Redistribution
       for Panorama 10.
      x
       appliances) on the firewall, and specify the Prisma Access
      User-ID Agent Address
       (
      Panorama
      Cloud Services
      Status
      Network Details
      Service Connection
      User-ID Agent Address
      ) as the
      Host
       (10.1.1.1 in the following example) and
      5007
       as the
      Port
      .
    • HIP redistribution from Prisma Access to Panorama
      —If you have multiple firewalls or gateways in your organization with HIP-based security policies, you can redistribute the HIP information from Prisma Access to the Panorama that manages Prisma Access by creating a User-ID agent in Panorama and specifying the Prisma Access
      User-ID Agent Address
       as the User-ID
      Host
      . You can then redisribute HIP reports from that Panorama appliance to the other managed Panorama appliances, gateways, firewalls, and virtual systems in your enterprise, using the same workflow that you use to redistribute User-ID information to managed firewalls and enforce consistent policy for internal apps and resources, as shown in the following figure.
      Alternatively, you can configure each internal firewall or gateway in your enterprise to directly collect HIP information from Prisma Access, without using Panorama as a central location, by creating a User-ID Agent in each device. Note, however, that Prisma Access uses service connections to send HIP information, and service connection bandwidth consumption might increase if Prisma Access sends a large number of HIP reports.
    • HIP redistribution from a user at a remote network to Prisma Access
      —The previous use cases showed Prisma Access collecting HIP information from mobile users. If you want to apply HIP-based policies in Prisma Access for a user at a remote network location, you need a way to distribute the HIP information from the remote network user’s GlobalProtect app to Prisma Access.
      The following example shows a user at a remote network location whose internet access is located on the remote network connection. In Prisma Access, you control the user’s internet access at the remote network location with security policies created in the
      Remote_Network_Device_Group
       or in a shared device group. To properly enforce the policies at the remote network location for the user, you need to configure Prisma Access to retrieve the user’s HIP information from the internal gateway.
      In this example, the GlobalProtect gateway at the HQ/data center that is configured as an internal gateway using internal host detection checks the user’s HIP information from the user’s GlobalProtect app. The internal gateway detects that the user is inside the remote network location and collects both User-ID and HIP information from the user.
      To distribute this HIP information from the internal gateway to Prisma Access, create a User-ID agent in Panorama and specify the IP address of the internal gateway as the host.
    • —When mobile users log in using the GlobalProtect app, the app sends the HIP information to Prisma Access. Panorama retrieves the log results from Cortex Data Lake to view the results of the HIP Match logs (
      Monitor
      Logs
      HIP Match
      ); however, you cannot view detailed HIP reports until you configure Panorama to redistribute HIP report details from Prisma Access to Panorama.
      To redistribute detailed HIP information from mobile users to Panorama, create a User-ID agent in Panorama and specify the
      User-ID Agent Address
       (
      Panorama
      Cloud Services
      Status
      Network Details
      Service Connection
      User-ID Agent Address
      ) as the User-ID host. See Configure HIP Redistribution in Prisma Access for details.
      If you have configured an on-premises gateway as an internal gateway at a remote user location, you can also send the HIP information for users at remote networks to Panorama by creating a User-ID agent in Panorama and specifying the remote network
      EBGP Router
       address (
      Panorama
      Cloud Services
      Status
      Network Details
      Remote Networks
      EBGP Router
      ) as the User-ID host. See Configure HIP Redistribution in Prisma Access for details.

    Configure HIP Redistribution in Prisma Access

    To allow Prisma Access to collect and redistribute HIP information, complete the following task.
    1. Allow Prisma Access to redistribute HIP information.
      1. In Panorama, select
        Panorama
        Cloud Services
        Configuration
        Service Setup
        .
      2. Click the gear icon to edit the settings.
      3. In the
        Advanced
         tab, select
        Enable HIP Redistribution
        .
        Enabling HIP Redistribution enables Prisma Access to redistribute the HIP reports received from the GlobalProtect app to internal firewalls and to Panorama.
    2. Configure Panorama to receive HIP reports from Prisma Access.
      1. Select
        Panorama
        Setup
        Interfaces
        .
      2. Select the
        Management
         interface.
      3. Select
        User-ID
        .
    3. Configure Panorama to collect the User-ID mapping from Prisma Access.
      1. From the Panorama that manages Prisma Access, select
        Panorama
        User Identification
        User-ID Agents
         (for 9.1.
        x
         Panorama appliances) or
        Panorama
        Data Redistribution
        Agents
         (for Panorama 10.
        x
         appliances).
      2. Add
         a User-ID Agent and give it a
        Name
        .
      3. Enter one of the following values in the
        Host
         field, depending on the types of HIP information you want to collect.
        • To collect HIP information for mobile users, enter the
          User-ID Agent Address
           (
          Panorama
          Cloud Services
          Status
          Network Details
          Service Connection
          User-ID Agent Address
          ).
        • To collect HIP information from users at a remote network locations with an internal gateway, enter the IP address of the internal gateway.
        • To collect HIP information from users are a remote network connection, enter the
          EBGP Router
           address (
          Panorama
          Cloud Services
          Status
          Network Details
          Remote Networks
          EBGP Router
           as the User-ID host.
      4. Enter
        5007
         in the port field.
        By default, the User-ID agent uses port 5007 to listen for HIP information requests.
        Make sure that your network does not block access to this port between Prisma Access and the Active Directory server or User-ID Agent.
      5. Select
        Enabled
         to enable Panorama to communicate with the User-ID agent.
      6. Select either
        HIP
         (for 10.
        x
         Panorama appliances) or
        HIP Report
         (for 9.1.
        x
         Panorama appliances) to enable Panorama to receive HIP reports from all mobile user locations.
      7. Click
        OK
        .
    4. Repeat Step 3 for each service connection to which you want to configure HIP report collection.

    Recommended For You

    © 2023 Palo Alto Networks, Inc. All rights reserved.