How to Configure HIP for Missing Microsoft Patches

How to Configure HIP for Missing Microsoft Patches

Created On 09/25/18 17:36 PM - Last Modified 05/05/20 22:07 PM



This document explains how to configure HIP check for missing Microsoft patches.


  • Globalportect
  • Pan-OS



  1. Configure Patch Managent Criteria in the HIP object:
    1. Go to Object > GlobalProtect > HIP Objects
    2. Click "Add new HIP Object"
    3. Go to Patch Management > Criteria
      Screen Shot 2015-05-29 at 3.26.21 PM.png
      • Is Installed: This checkbox should be always turned on. This option is not used to check whether patch is installed.
      • Check: This setting is only applied to the patches listed in the box below. For example, if "has-none" check criteria is selected, the hip object will match when there is a hip report that has none of the patches listed in Patches box.
      • Patches: To check Microsoft KB patches, add the number(s) here. This can be left blank. Set "has-any" for the check, so HIP will match if there are any missing patches. 
  2. Configure Patch Management Vendor in HIP object:
    1. Go to Object > GlobalProtect > HIP Objects
    2. Add new HIP Object
    3. Go to Patch Management > Vendor
      Screen Shot 2015-05-29 at 3.27.54 PM.png
  3. Configure HIP profile:
    1. Go to Object > GlobalProtect > HIP Profiles
    2. Click Add
    3. Configure the HIP profile by clicking "Add Match Criteria" button:
      Screen Shot 2015-05-29 at 3.28.41 PM.png
  4. Configure Security Policy and assign HIP profile
    1. Go to Policies > Security
    2. Click Add
    3. Go to User > HIP Profiles
    4. Select the configured HIP profile:
      Screen Shot 2013-12-20 at 2.41.06 PM.png
  5. Optionally: Configure HIP Notification
    1. Go to Network > GlobalProtect > Gateways > HIP Notification
    2. Click Add
    3. Select the HIP profile and configure the Match Message and Not Match Message tabs as required.
      Screen Shot 2015-05-29 at 3.29.43 PM.png
      On the GlobalProtect Client, view the host state information from the Host State tab:
      Screen Shot 2013-12-20 at 2.48.13 PM.png
      On GlobalProtect client, the missing patch information does not appear immediately after a fresh installation. The missing patch information will appear after one or two hours.



Additional Information

Troubleshooting on Client Device

  • Check HIP notification (View > HIP notification) for "Match Message" or "Not Match Message".
  • When the configuration is modified on the Palo Alto Networks device, try to disable and enable GlobalProtect (File > Disable, then File > Enable) for verification.

Troubleshooting on the Palo Alto Networks Device

The following CLI commands show the HIP information for a particular client: (Note: ip address: Private IP assigned by GlobalProtect Gateway)
> debug user-id dump hip-profile-database
> debug user-id dump hip-report ip <ip address> user <user name> computer <computer name>

For example:
> show global-protect-gateway current-user
Tunnel Name : gateway-sv-N
Domain-User Name : xxxxx
Computer : xxxxxx
Client : xxxxx
VPN Type : Device Level VPN
Mobile ID :
Private IP : <=== This ip address
Public IP :

The following CLI commands show debug logs:
> debug user-id set hip all
> debug user-id on debug
> tail follow yes mp-log useridd.log

View the traffic logs and check the entries for rules configured with the HIP profile:
Screen Shot 2013-12-20 at 3.28.00 PM.png

owner: ymiya**bleep**a

  • Print
  • Copy Link

Choose Language