How to check HIP certificate information on GlobalProtect app and firewall

How to check HIP certificate information on GlobalProtect app and firewall

2573
Created On 04/15/21 17:41 PM - Last Modified 01/09/26 21:21 PM


Objective


This article explains how HIP certificate check works using Self Signed CA certificate.

Environment


  • Palo Alto Firewalls
  • Supported PAN-OS versions
  • Supported GlobalProtect (GP) App versions
  • GlobalProtect Portal with "Certificate Profile for HIP Processing" enabled
  • HIP object/profile with HIP Certificate check enabled

Procedure


  1. Self-Signed CA certificate and machine certificate can deployed using this article.
    • Machine certificate was created with Subject/Common Name (CN) as windows.machine
    • Exported this certificate as Encrypted Private Key and Certificate (PKCS12)

Certificate Management on Firewall

 

  1. Configure GlobalProtect using this article
    Portal-Agent-Config 
  2. Configure Certificate Profile "TGP" and reference it under HIP Data Collection:

GUI: Network > GlobalProtect > Portals > [portal name] > Agent > Configs > Hip Data Collection > Certificate Profile for HIP processing 

HIP Data Collection Config

 

  1. Imported the Machine certificate under Personal folder of Local Computer:
    Windows Local Machine Store 
  2. Configure the HIP object with Certificate check enabled and reference the Certificate Profile "TGP":
    HIP Object Certificate Check
  3. Once the user successfully connects to GlobalProtect, certificate information can be viewed on firewall and GP app: 
    • GUI: Monitor > Logs > HIP Match

HIP report in HIP Match log

    • Host Information Profile on GP app

GP app HIP tab
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000sY2xCAE&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language