How to Configure HIP for Missing Microsoft Patches
76376
Created On 09/25/18 17:36 PM - Last Modified 05/05/20 22:07 PM
Symptom
This document explains how to configure HIP check for missing Microsoft patches.
Environment
- Globalportect
- Pan-OS
Resolution
Additional Information
Troubleshooting on Client Device
- Check HIP notification (View > HIP notification) for "Match Message" or "Not Match Message".
- When the configuration is modified on the Palo Alto Networks device, try to disable and enable GlobalProtect (File > Disable, then File > Enable) for verification.
Troubleshooting on the Palo Alto Networks Device
The following CLI commands show the HIP information for a particular client: (Note: ip address: Private IP assigned by GlobalProtect Gateway)> debug user-id dump hip-profile-database
> debug user-id dump hip-report ip <ip address> user <user name> computer <computer name>
For example:
> show global-protect-gateway current-user
Tunnel Name : gateway-sv-N
Domain-User Name : xxxxx
Computer : xxxxxx
Client : xxxxx
VPN Type : Device Level VPN
Mobile ID :
Private IP : 172.23.60.7 <=== This ip address
Public IP : 201.247.44.57
The following CLI commands show debug logs:
> debug user-id set hip all
> debug user-id on debug
> tail follow yes mp-log useridd.log
View the traffic logs and check the entries for rules configured with the HIP profile:
owner: ymiya**bleep**a