How to Configure GlobalProtect for Custom Registry Check on Windows

How to Configure GlobalProtect for Custom Registry Check on Windows

53001
Created On 09/25/18 19:38 PM - Last Modified 04/21/20 00:20 AM


Symptom

The article explains how to use HIP Check to Match windows registry entries and use this information to  Allow/Deny them in the security Policies.



Environment
  • PAN-OS 7.1.5
  • GlobalProtect Agent 3.1.3.
  • Any Palo Alto Firewall.


Resolution

About this example and scope of this article

  • The Palo Alto Networks firewall used in this example is running PAN-OS 7.1.5, GlobalProtect 3.1.3. Similar method can be used in the newer PAN-OS versions.
  • This article does not cover the full configuration of GlobalProtect, but covers only configuring the firewall and the client to check for registries, assuming you already have GlobalProtect configured and connecting fine. For configuring Global Protect, you can refer Here.
  • GlobalProtect licence is required for using this feature

 

Part1: Configuring GlobalProtect to check for registries

  1. Go to the Windows machine where the registry exists. In this example, we will be checking the following registry, the information used in the firewall configuration is highlighted:

1_windows_registry.JPG

 

  1. Then, in the firewall GUI, go to Network > GlobalProtect > Portals.  Click on the desired Portal, and go to the Agent tab, click on the desired Config:

2_GP_portal_config.PNG
 

  1. Go to Data Collection tab, click on Custom Checks tab, click on Windows, and then click on Add:

3_GP_DC_config.PNG

 

  1. In the Regirstry Key window, fill in the registry key information, and click OK:

4_GP_RK_config.PNG

 

  1. Now we are done with the Portal configuration, go to Objects > GlobalProtect > HIP Objects, and click on Add. In the General tab, give the object a name:

6_HIPO_config.PNG

 
  1. Go to Custom Checks tab, check Custom Checks, go to Registry Key tab, and click on Add:

7_HIPO_2_config.PNG

 

  1. In the next window, enter the Registry Key, and click on Add to fill in the values:

8_HIPO_3_config.PNG

 

Note: When you have multiple registry keys specified in the Objects > Hip Objects > Custom Checks > Registry Key tab, as long as one of the registry checks passes, it would be considered a HIP match. The registry keys work with an 'OR' logic.

  1. Now, go to Objects > GlobalProtect > HIP Profiles, and click on Add. Give it a name and Add the Object created earlier:

9_HIPP_config.PNG

Part 2: Verification:

  1. Once the Client is Connected to the Portal, The entry is seen in the Host State tab:

12_GP_hoststate.PNG
 

  1. Also, in the firewall GUI, go to Monitor > Logs > HIP Match. You will see a log for matching the configured registry:

10_HIP_report_1.PNG

log details gives the detailed info

11_HIP_report_2.PNG

 

  1. HIP report information can also be obtained through the CLI:

 

admin@PA-VM(active)> debug user-id dump hip-profile-database entry 

Total number of hipmask in database: 2
Total number of logout records in database: 13
Total size of hip reports: 1050KB used / 163840KB
 Entry : 1
 User : hzayed
 Computer : HZAYED-WIN7
 IP : 192.168.100.1
 TTL : 9957
 VSYS : vsys1
 MD5 : cc75bc57a42c1365ffc18149e42db26
 Mobile ID : 
 MDM MD5 : 
 Last Checkin Time : 
 Jail Broken : 0

1-1 records shown


admin@PA-VM(active)> debug user-id dump hip-report computer HZAYED-WIN7 user hzayed ip 192.168.100.1

<?xml version="1.0" encoding="UTF-8"?>
<hip-report>
 <md5-sum>cc75bc57a42c1365ffc18149e42db26</md5-sum>
 <user-name>hzayed</user-name>
 <domain></domain>
 <host-name>HZAYED-WIN7</host-name>
 <host-id>0892c1cb-26ae-4467-8fa1-cf3fd818a918</host-id>
 <ip-address>192.168.100.1</ip-address>
 <generate-time>11/03/2016 09:36:59</generate-time>
.
.
[SNIP]
.
.
 <custom-checks>
 <registry-key>
 <entry name="HKEY_LOCAL_MACHINE\SOFTWARE\Intel\PSIS\PSIS_DECODER">
 <exist>yes</exist>
 <value></value>
 <registry-value>
 <entry name="GraphFile">
 <exist>yes</exist>
 <value>\\psistest.grf</value>
 </entry>
 </registry-value>
 </registry-key>
 </custom-checks>
</hip-report>


Part3: Use the HIP Profile in the Security Policy:

Once verified that the user is matching the HIP profile, you can configure specific Security Rules matching this profile:

13_SR_HIP.PNG

 



Additional Information

See also

How to Configure HIP for Missing Microsoft Patches

HIP checks are not logged and traffic is allowed when HIP match fails



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/kCSArticleDetail?id=kA10g000000ClbK&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FkCSArticleDetail

Attachments
Choose Language