How to Configure GlobalProtect for Custom Registry Check on Windows
105395
Created On 09/25/18 19:38 PM - Last Modified 01/31/25 20:56 PM
Symptom
The article explains how to use HIP Check to match windows registry values and use this information to Allow/Deny them in security policies.
Environment
- PAN-OS 7.1.5
- GlobalProtect Agent 3.1.3.
- Any Palo Alto Firewall.
Resolution
About this example and scope of this article
- The Palo Alto Networks firewall used in this example is running PAN-OS 7.1.5, GlobalProtect 3.1.3. Similar method can be used in the newer PAN-OS versions.
- This article does not cover the full configuration of GlobalProtect, but covers only configuring the firewall and the client to check for registries, assuming you already have GlobalProtect configured and connecting fine. For configuring Global Protect, you can refer Here.
- GlobalProtect licence is required for using this feature
Part1: Configuring GlobalProtect to check for registries
- Go to the Windows machine where the registry exists. In this example, we will be checking the following registry, the information used in the firewall configuration is highlighted:
- Then, in the firewall GUI, go to Network > GlobalProtect > Portals. Click on the desired Portal, and go to the Agent tab, click on the desired Config:
- Go to Data Collection tab, click on Custom Checks tab, click on Windows, and then click on Add:
- In the Regirstry Key window, fill in the registry key information, and click OK:
- Now we are done with the Portal configuration, go to Objects > GlobalProtect > HIP Objects, and click on Add. In the General tab, give the object a name:
- Go to Custom Checks tab, check Custom Checks, go to Registry Key tab, and click on Add:
- In the next window, enter the Registry Key, and click on Add to fill in the values:
Note: When you have multiple registry keys specified in the Objects > Hip Objects > Custom Checks > Registry Key tab, as long as one of the registry checks passes, it would be considered a HIP match. The registry keys work with an 'OR' logic.
- Now, go to Objects > GlobalProtect > HIP Profiles, and click on Add. Give it a name and Add the Object created earlier:
Part 2: Verification:
- Once the Client is Connected to the Portal, The entry is seen in the Host State tab:
- Also, in the firewall GUI, go to Monitor > Logs > HIP Match. You will see a log for matching the configured registry:
log details gives the detailed info
- HIP report information can also be obtained through the CLI:
admin@PA-VM(active)> debug user-id dump hip-profile-database entry
Total number of hipmask in database: 2
Total number of logout records in database: 13
Total size of hip reports: 1050KB used / 163840KB
Entry : 1
User : hzayed
Computer : HZAYED-WIN7
IP : 192.168.100.1
TTL : 9957
VSYS : vsys1
MD5 : cc75bc57a42c1365ffc18149e42db26
Mobile ID :
MDM MD5 :
Last Checkin Time :
Jail Broken : 0
1-1 records shown
admin@PA-VM(active)> debug user-id dump hip-report computer HZAYED-WIN7 user hzayed ip 192.168.100.1
<?xml version="1.0" encoding="UTF-8"?>
<hip-report>
<md5-sum>cc75bc57a42c1365ffc18149e42db26</md5-sum>
<user-name>hzayed</user-name>
<domain></domain>
<host-name>HZAYED-WIN7</host-name>
<host-id>0892c1cb-26ae-4467-8fa1-cf3fd818a918</host-id>
<ip-address>192.168.100.1</ip-address>
<generate-time>11/03/2016 09:36:59</generate-time>
.
.
[SNIP]
.
.
<custom-checks>
<registry-key>
<entry name="HKEY_LOCAL_MACHINE\SOFTWARE\Intel\PSIS\PSIS_DECODER">
<exist>yes</exist>
<value></value>
<registry-value>
<entry name="GraphFile">
<exist>yes</exist>
<value>\\psistest.grf</value>
</entry>
</registry-value>
</registry-key>
</custom-checks>
</hip-report>
Part3: Use the HIP Profile in the Security Policy:
Once verified that the user is matching the HIP profile, you can configure specific Security Rules matching this profile:
Additional Information
See also
How to Configure HIP for Missing Microsoft Patches
HIP checks are not logged and traffic is allowed when HIP match fails