Windows Update HIP Check

wcoulson — Tue, 17 Jan 2023 19:24:24 GMT

i saw another user is having pretty much the same problem as me, but her post was over a year ago. was hoping some other users might have had the same problem as me.

here's the original post:

https://live.paloaltonetworks.com/t5/globalprotect-discussions/hip-check-patch-management/td-p/449066

essentially what we would like to do is....

1, check our VPN users to make sure they have Windows Update enabled

2, check our VPN users to make sure they don't have any severity 3 patches not installed.

for option 1 i tried to configure the HIP check like this:

for option 2 i tried to configure the HIP check like this:

it doesn't seem to matter what options i check under patch management, the PC always fails the check for windows update.

what am i missing or what do i have configured wrong?

Re: Windows Update HIP Check

aleksandar.astardzhiev — Wed, 18 Jan 2023 14:17:11 GMT

Hi @wcoulson ,

I would confess I don't have real experience with patch management HIP check, but I could suggest the following:

- Can you confirm your GP portal agent config is configured to collect patch management information? Patch management is not excluded here

- From documentation is says "Check —Match on whether the endpoint has missing patches." - https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-web-interface-help/globalprotect/objects-globalprotect-hip-objects/hip-objects-patch-management-tab

So my understanding is that "has-any" means has any missing patch. And if I understand your first case you want this object to match a machine with all patches installed. Based on that I believe you need to use "has-none" - which should means "has none missing patches = has all patches"

- Second screenshot seems OK - should match if not severity 3 patches are missing, but you haven't specify patch management vendor. I am not sure if this could be a problem but you can try to add it the same way as your first hip object.

Have you checked how the HIP report looks like (the same way from the screenshot from the other post)? You can either check from GP client (setting -> Host Profile) or from FW cli https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClshCAC but this will be raw XML and GUI should be easier to read.

topic Windows Update HIP Check in GlobalProtect Discussions

Windows Update HIP Check

Re: Windows Update HIP Check