Configuration for hip-profile match for GlobalProtect client and patch management

Configuration for hip-profile match for GlobalProtect client and patch management

48025
Created On 09/26/18 20:46 PM - Last Modified 02/04/21 00:13 AM


Environment
  •  Palo Alto Networks Firewall 
  •  Windows, Linux, or macOS endpoint
  •  Existing GlobalProtect infrastructure 


Resolution

The objective of this configuration is to allow GlobalProtect connected users access to the network based on whether they have all patches installed on their Windows host. The hip-profile is associated to a security-policy to allow access, and any missing patches will result in deny of access. 

Note: The example configuration creates 2 hip-objects, the first looks for patch severity level greater than zero. The second looks for severity level zero. The two hip-objects are associated to a single hip-profile with 'and' and 'not' condition for each hip-object.

 

  • Example HIP configuration done via the CLI
> configure

# set vsys vsys1 rulebase security rules Trust-Intrust-PING-Allow hip-profiles hip-prof-1
# set vsys vsys1 rulebase security rules Trust-Intrust-PING-Deny hip-profiles any
# set vsys vsys1 profiles hip-objects hip-obj-sev-over-0 patch-management criteria missing-patches check has-none
# set vsys vsys1 profiles hip-objects hip-obj-sev-over-0 patch-management criteria missing-patches severity greater-than 0
# set vsys vsys1 profiles hip-objects hip-obj-sev-over-0 patch-management criteria is-installed yes
# set vsys vsys1 profiles hip-objects hip-obj-sev-over-0 patch-management exclude-vendor no
# set vsys vsys1 profiles hip-objects hip-obj-sev-0 patch-management criteria missing-patches check has-none
# set vsys vsys1 profiles hip-objects hip-obj-sev-0 patch-management criteria missing-patches severity is 0
# set vsys vsys1 profiles hip-objects hip-obj-sev-0 patch-management criteria is-installed yes
# set vsys vsys1 profiles hip-objects hip-obj-sev-0 patch-management exclude-vendor no
# set vsys vsys1 profiles hip-profiles hip-prof-1 match 'not "hip-obj-sev-over-0" and not "hip-obj-sev-0"'

 

  • Example HIP configuration done via the CLI
  1.  Create the first hip-object by navigating to Objects > GlobalProtect > HIP Objects > Select "Add"

hip object

  1.  Define the parameters for severity level greater than zero for the "Patch Management" tab and select OK once finished

severity

 

  1.  Create the second hip-object by selecting "Add"

hip object

 

  1.  Define the parameters for severity level equal to zero for the "Patch Management" tab

hip profile

 

  1.  Associate the 2 hip-objects to a single hip-profile with “AND NOT” conditions by navigating to Objects > GlobalProtect > HIP Profiles > Select “Add”

hip profile

 

Note: If you wish to allow patches of severity level zero to be ignored, do not include the hip-object named “hip-obj-sev-0” in the hip-profile.

 

  1.  Create a security-policy to allow access.

security policy

 

  1.  Associate the single hip-profile to the security-policy.

security policy

 

  •  Possible Troubleshooting Ideas:
  1. Review the hipmatch log from the WebUI and identify which hip-objects are matched
  2. Review the attributes of each matched hip-object to determine accuracy.

 

  • Moving on to debug commands:
> debug user-id dump hip-profile-database entry
> debug user-id dump hip-report computer <computer-name> ip <global-protect-assigned-ip> user <username>

 

  • To gain greater visibility, the hip debugs can be enabled via the CLI commands below. The messages are printed to the 'useridd.log' file.
> debug user-id set hip all
> debug user-id on debug
> tail follow yes mp-log useridd.log

 

Note: The example below shows the hip-object evaluation in the useridd.log. After the initial evaluation, at 22:11:55.219 the <hip-notification> message is sent to the client, reflecting a match.

2016-03-01 22:11:55.219 -0800 debug: pan_hip_obj_evaluate_report(pan_hip_obj.c:3121): evaluating obj 'hip-obj-sev-over-0' for report 'TEMPLATE-PC'
2016-03-01 22:11:55.219 -0800 debug: pan_hip_obj_category_evaluate_report_xml(pan_hip_obj.c:2581): validating category 'patch-management' from report 'TEMPLATE-PC'
2016-03-01 22:11:55.219 -0800 debug: pan_hip_obj_category_evaluate_node(pan_hip_obj.c:2548): match 0 check is not passed
2016-03-01 22:11:55.219 -0800 debug: pan_hip_obj_simple_evaluate_report(pan_hip_obj.c:3095): category 'patch-management' evaluate failed for 'TEMPLATE-PC'
2016-03-01 22:11:55.219 -0800 debug: pan_hip_obj_evaluate_report(pan_hip_obj.c:3132): obj 'hip-obj-sev-over-0' for report 'TEMPLATE-PC' evaluated : 0
2016-03-01 22:11:55.219 -0800 debug: pan_hip_evaluate_report(pan_hip.c:1255): customer report evaluation : 0x2
2016-03-01 22:11:55.219 -0800 debug: pan_hip_evaluate_report(pan_hip.c:1276): for hip report 'TEMPLATE-PC', notification: <hip-notification>
       <entry name="hip-prof-1"><value>1</value><message>&lt;b&gt;​HIP MATCHES !!!!!!&lt;/b&gt;</message><show-notification-as>pop-up-message</show-notification-as></entry>
2016-03-01 22:11:55.219 -0800 debug: pan_hip_evaluate_report(pan_hip.c:1291): for hip report 'TEMPLATE-PC', notification: <hip-notification>
       <entry name="hip-prof-1"><value>1</value><message>&lt;b&gt;​HIP MATCHES !!!!!!&lt;/b&gt;</message><show-notification-as>pop-up-message</show-notification-as></entry>

 



Additional Information
  • Note: All hip-objects created on the firewall are evaluated regardless of association to a hip-profile. The final action is taken based on the hip-object contained in the hip-profile. This also implies the hip-match log will reflect any hip-object that matches its criteria regardless of the action of the security-policy associated to the hip-profile to allow or deny network access.
 
​​​​​​


Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm5WCAS&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language