How to configure HIP Object and HIP Profile for matching and not matching the condition and apply them to Security rules.
57651
Created On 07/27/19 02:36 AM - Last Modified 01/09/20 22:07 PM
Objective
How to configure HIP Object, HIP Profile for matching, and finally the "NOT" matching condition and then apply them to Security rules.
Environment
- PanOS 8.0
- PanOS 8.1
- PanOS 9.0
Procedure
1. Go to HIP object and click add at the bottom. Then create a HIP object for the desired application as the example below:
- Then create the HIP profiles, First profile to match the installed HIP object and second profile to not match the installed. HIP Object.
- Go to HIP Profile and click add, then select the HIP Object created above and name the profile as you desire.
- Go to HIP Profile and click add, then select the same object as above, but this time check the box for NOT condition. Name the profile as you desire.
- Now you have created two HIP profile for the same HIP Object with the "is installed" condition.
- Now you can add firewall Security rules and apply the HIP profile to allow or deny traffic. From the example below the security rule "Allow HIP" is to allow traffic, so you add the HIP profile "Match-if-installed" and for security rule to deny the traffic you apply the "Match-if-not-installed", as it will match the condition of the software not installed.
- With above setup if the client machine has the appropriate application installed, it should match the first rule, and if the appropriate application is not installed, then it should deny the traffic.