How to Configure GlobalProtect for Customer Registry Check on Windows

•  Palo Alto Networks firewall on PAN-OS 10.0+
•  Existing GlobalProtect infrastructure
•  Proper licensing 

• Configure GlobalProtect to check for the Windows registry key

1.  Launch Regedit on the Windows endpoint and retrieve the registry value which you'll be using 

 

2. Within PAN-OS, navigate to Network > GlobalProtect > Portals > "Select Portal" > Agent > "Select Config"

3.  After selecting the appropriate configuration, navigate to HIP Data Collection > Custom Checks > Windows and select "Add" under "REGISTRY KEY"

 

4.  Enter the registry key chosen earlier in the "Registry Key" field and the associated value in the "Registry Value" field and then select OK

 

5.  Next, configure the HIP object that will be used to match against the endpoints by navigating to Objects > GlobalProtect > HIP Objects > select Add and then specify a name for the Object

 

6.  Then select the "Custom Checks" tab, select the Checkbox to enable custom checks, choose the Registry Key tab, and click Add

7.  Specify the chosen registry key from step 1 in the Registry Key field, select Add, specify the key value and data in the appropriate fields as shown below, and then select OK

 

8.  Now configure the HIP profile by navigating to Objects > GlobalProtect > HIP Profiles select Add and provide a name
9.  Then select "Add Match Criteria", choose the Object created in step 5, and then select OK

10.  Commit your changes

• Verify the Endpoint matches the configured HIP profile

1.  Upon a successful connection to GlobalProtect Portal and Gateway, we should see a match to our profile by navigating to Monitor > Logs > HIP Match and filtering by the appropriate user

 

2.   You can also view this output via the cli by issue the following command: debug user-id dump hip-report computer <computer-name> user <username> ip <user-IP>

admin@PA-VM> debug user-id dump hip-report computer DESKTOP-PMINSSO user testuser ip 192.168.100.2



<?xml version="1.0" encoding="UTF-8"?>

<hip-report>

        <md5-sum>ecdf6c7058d9ec8b60c783c0a59d2bb1</md5-sum>

        <user-name>testuser</user-name>

        <domain>(empty_domain)</domain>

        <host-name>DESKTOP-PMINSSO</host-name>

        <host-id>30b6dc89-07d5-4bda-b946-9b28ad9eaefc</host-id>

        <ip-address>192.168.100.2</ip-address>

        <ipv6-address></ipv6-address>

        <generate-time>12/22/2021 12:14:23</generate-time>

        <hip-report-version>4</hip-report-version>

        <categories>

                <entry name="host-info">



<<<<<< OMITTED FOR BREVITY >>>>>>



         </categories>

        <custom-checks>

                <registry-key>

                        <entry name="HKEY_LOCAL_MACHINE\SOFTWARE\Intel\PSIS\PSIS_DECODER">

                                <exist>yes</exist>

                                <value></value>

                                <registry-value>

                                        <entry name="GraphFile">

                                                <exist>yes</exist>

                                                <value>\\psistest.grf</value>

                                        </entry>

                                </registry-value>

                        </entry>

                </registry-key>

        </custom-checks>

</hip-report>

•  Use the HIP profile in the Security Policy

1.   After you've confirmed the endpoint successfully matches the object, you can add this to your preferred Security policy rule by navigating to Policies > Security > "Select security policy" > Source > Source Device > Select Add and then choose the HIP profile configured in step 8

•  Configure HIP-Based Policy Enforcement
•  Resource List: GlobalProtect Configuring and Troubleshooting