How to Configure HIP for Missing Microsoft Patches

How to Configure HIP for Missing Microsoft Patches

68269
Created On 09/25/18 17:36 PM - Last Modified 05/05/20 22:07 PM


Symptom


 

This document explains how to configure HIP check for missing Microsoft patches.

 

Environment


  • Globalportect
  • Pan-OS

Resolution


 

  1. Configure Patch Managent Criteria in the HIP object:
    1. Go to Object > GlobalProtect > HIP Objects
    2. Click "Add new HIP Object"
    3. Go to Patch Management > Criteria
      Screen Shot 2015-05-29 at 3.26.21 PM.png
      • Is Installed: This checkbox should be always turned on. This option is not used to check whether patch is installed.
      • Check: This setting is only applied to the patches listed in the box below. For example, if "has-none" check criteria is selected, the hip object will match when there is a hip report that has none of the patches listed in Patches box.
      • Patches: To check Microsoft KB patches, add the number(s) here. This can be left blank. Set "has-any" for the check, so HIP will match if there are any missing patches. 
  2. Configure Patch Management Vendor in HIP object:
    1. Go to Object > GlobalProtect > HIP Objects
    2. Add new HIP Object
    3. Go to Patch Management > Vendor
      Screen Shot 2015-05-29 at 3.27.54 PM.png
  3. Configure HIP profile:
    1. Go to Object > GlobalProtect > HIP Profiles
    2. Click Add
    3. Configure the HIP profile by clicking "Add Match Criteria" button:
      Screen Shot 2015-05-29 at 3.28.41 PM.png
  4. Configure Security Policy and assign HIP profile
    1. Go to Policies > Security
    2. Click Add
    3. Go to User > HIP Profiles
    4. Select the configured HIP profile:
      Screen Shot 2013-12-20 at 2.41.06 PM.png
  5. Optionally: Configure HIP Notification
    1. Go to Network > GlobalProtect > Gateways > HIP Notification
    2. Click Add
    3. Select the HIP profile and configure the Match Message and Not Match Message tabs as required.
      Screen Shot 2015-05-29 at 3.29.43 PM.png
      On the GlobalProtect Client, view the host state information from the Host State tab:
      Screen Shot 2013-12-20 at 2.48.13 PM.png
      On GlobalProtect client, the missing patch information does not appear immediately after a fresh installation. The missing patch information will appear after one or two hours.

 

 

Additional Information


Troubleshooting on Client Device

  • Check HIP notification (View > HIP notification) for "Match Message" or "Not Match Message".
  • When the configuration is modified on the Palo Alto Networks device, try to disable and enable GlobalProtect (File > Disable, then File > Enable) for verification.
 

Troubleshooting on the Palo Alto Networks Device

The following CLI commands show the HIP information for a particular client: (Note: ip address: Private IP assigned by GlobalProtect Gateway)
> debug user-id dump hip-profile-database
> debug user-id dump hip-report ip <ip address> user <user name> computer <computer name>




For example:
> show global-protect-gateway current-user
Tunnel Name : gateway-sv-N
Domain-User Name : xxxxx
Computer : xxxxxx
Client : xxxxx
VPN Type : Device Level VPN
Mobile ID :
Private IP : 172.23.60.7 <=== This ip address
Public IP : 201.247.44.57


The following CLI commands show debug logs:
> debug user-id set hip all
> debug user-id on debug
> tail follow yes mp-log useridd.log


View the traffic logs and check the entries for rules configured with the HIP profile:
Screen Shot 2013-12-20 at 3.28.00 PM.png


owner: ymiya**bleep**a
 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/kCSArticleDetail?id=kA10g000000ClGy&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FkCSArticleDetail

Choose Language