Palo Alto Networks Knowledgebase: How to Configure HIP for Missing Microsoft Patches

How to Configure HIP for Missing Microsoft Patches

(1005 Views)
Created On 09/25/18 17:36 PM - Last Updated 09/25/18 23:10 PM
Categories:  User-ID

Issue:


Solution:


Overview

This document explains how to configure HIP check for missing Microsoft patches.

Note: GlobalProtect Client version 1.2.7 / 2.2.1 was used for the screenshots below.

 

Steps

  1. Configure Patch Managent Criteria in the HIP object:
    1. Go to Object > GlobalProtect > HIP Objects
    2. Click "Add new HIP Object"
    3. Go to Patch Management > Criteria
      Screen Shot 2015-05-29 at 3.26.21 PM.png
      • Is Installed: This checkbox should be always turned on. This option is not used to check whether patch is installed.
      • Check: This setting is only applied to the patches listed in the box below. For example, if "has-none" check criteria is selected, the hip object will match when there is a hip report that has none of the patches listed in Patches box.
      • Patches: To check Microsoft KB patches, add the number(s) here. This can be left blank. Set "has-any" for the check, so HIP will match if there are any missing patches. 
  2. Configure Patch Management Vendor in HIP object:
    1. Go to Object > GlobalProtect > HIP Objects
    2. Add new HIP Object
    3. Go to Patch Management > Vendor
      Screen Shot 2015-05-29 at 3.27.54 PM.png
  3. Configure HIP profile:
    1. Go to Object > GlobalProtect > HIP Profiles
    2. Click Add
    3. Configure the HIP profile by clicking "Add Match Criteria" button:
      Screen Shot 2015-05-29 at 3.28.41 PM.png
  4. Configure Security Policy and assign HIP profile
    1. Go to Policies > Security
    2. Click Add
    3. Go to User > HIP Profiles
    4. Select the configured HIP profile:
      Screen Shot 2013-12-20 at 2.41.06 PM.png
  5. Optionally: Configure HIP Notification
    1. Go to Network > GlobalProtect > Gateways > HIP Notification
    2. Click Add
    3. Select the HIP profile and configure the Match Message and Not Match Message tabs as required.
      Screen Shot 2015-05-29 at 3.29.43 PM.png
      On the GlobalProtect Client, view the host state information from the Host State tab:
      Screen Shot 2013-12-20 at 2.48.13 PM.png
      On GlobalProtect client, the missing patch information does not appear immediately after a fresh installation. The missing patch information will appear after one or two hours.

 

Troubleshooting on Client Device

  • Check HIP notification (View > HIP notification) for "Match Message" or "Not Match Message".
  • When the configuration is modified on the Palo Alto Networks device, try to disable and enable GlobalProtect (File > Disable, then File > Enable) for verification.

 

Troubleshooting on the Palo Alto Networks Device

The following CLI commands show the HIP information for a particular client: (Note: ip address: Private IP assigned by GlobalProtect Gateway)

> debug user-id dump hip-profile-database

> debug user-id dump hip-report ip <ip address> user <user name> computer <computer name>

 

 

For example:

> show global-protect-gateway current-user

Tunnel Name : gateway-sv-N
Domain-User Name : xxxxx
Computer : xxxxxx
Client : xxxxx
VPN Type : Device Level VPN
Mobile ID :
Private IP : 172.23.60.7 <=== This ip address
Public IP : 201.247.44.57

 

The following CLI commands show debug logs:

> debug user-id set hip all

> debug user-id on debug

> tail follow yes mp-log useridd.log

 

View the traffic logs and check the entries for rules configured with the HIP profile:

Screen Shot 2013-12-20 at 3.28.00 PM.png

 

owner: ymiya**bleep**a

Attachments:

Actions:
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGyCAK&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Change Language: