HEX Objects in Global Protect HIP Custom Check Values

HEX Objects in Global Protect HIP Custom Check Values

11211
Created On 08/18/20 00:02 AM - Last Modified 07/11/25 20:05 PM


Question


  • Can Global Protect HIP policy be able check the registry binary/hex data and take an appropriate action?

Environment


  • FW PAN-OS 9.1 and above
  • Global Protect Client 5.1.x and above

Answer


  • Resolution: Currently, the HIP custom check does not support collecting binary/hex data by design. 

Sample environment test results:

<entry name="HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters">
		<exist>yes</exist>
		<value></value>
		<registry-value>
				<entry name="BinaryTest">
						<exist>yes</exist>
						<value></value>							<+++ no value for binary
				</entry>
				<entry name="QwordTest">	
						<exist>yes</exist>
						<value></value>							<+++ no value for Q-Word
				</entry>
				<entry name="MultiStringTest">
						<exist>yes</exist>
						<value></value>							<+++ no value for Multi String
				</entry>
				<entry name="DWordTest">
						<exist>yes</exist>
						<value>4660</value>						<+++ It printed D-Word decimal value (even though the value set was Hex: 0x1234)
				</entry>
				<entry name="ExpandStringTest">
						<exist>yes</exist>
						<value></value>							<+++ no value for Q-Word
				</entry>
				<entry name="StringTest">
						<exist>yes</exist>
						<value>String-1234</value>				<+++ printed String value as it is
				</entry>
		</registry-value>
</entry>
 
  • As per above HIP Report, the value only comes for (i) String type registry key and (ii) D-Word registry key which is in decimal (even when it's configured as in hex). 
  • The registry key type is binary, and as per above output, the check does not pull value but only check if it is existing or not. 
  • These (above) were registry keys with value on the client machine for which GP collected the above data in HIP Report. 

 

Configure the name of the Registry Key and do not put a value for it as in screenshot

 

  • With this configuration, any client sending the yes for this registry in the HIP Report (like below) will match the above HIP Object
<registry-value>
				<entry name="BinaryTest">
						<exist>yes</exist>
						<value></value>							
				</entry>

Additional Information


For Windows endpoints only: 

 

1. To check Windows endpoints for a specific registry key, select Custom Checks > Registry Key, and then Add the registry key to match. When prompted, enter the Registry Key and then configure one of the following options:

  •  To match on the default value data for the registry key, enter the (Default) Value Data. 310 GLOBALPROTECT ADMINISTRATOR'S GUIDE
  •  To match endpoints that do not have the specified registry key, select Key does not exist or match the specified value data.

 

2.  To match on specific values within the registry key, select Custom Checks > Registry Key, and then Add the registry key to match. When prompted, enter the Registry Key. Click Add and then configure one of the following options:

  •  To match on specific values within the registry key, enter the Registry Value and corresponding Value Data.
  •  To match endpoints that do not have a specified registry value, enter the Registry Value and then select the Negate check box.

 

Click OK to save the HIP object. You can Commit the changes to view the data in the HIP Match logs at the next device check-in.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HAPRCA4&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language