topic Re: HIPS to prevent windows 7 clients in GlobalProtect Discussions

HIPS to prevent windows 7 clients

Stevenjw0728 — Fri, 03 Mar 2023 20:29:53 GMT

How would I go about creating a HIPS profile that would deny access to machines running windows 7 that need to connect to global protect?

Re: HIPS to prevent windows 7 clients

TomYoung — Mon, 06 Mar 2023 16:35:13 GMT

Hi @Stevenjw0728 ,

Here are the steps to use HIP in the security policy -> https://docs.paloaltonetworks.com/globalprotect/9-1/globalprotect-admin/host-information/configure-hip-based-policy-enforcement.

You would create a separate HIP Object like the following:

Put it in a HIP Profile named Windows 7. Add the Windows 7 HIP Profile as a source to a security policy rule and deny traffic except optionally to a remediation server. GlobalProtect will not disconnect, but you can configure a GlobalProtect message under Gateway > Agent > HIP Notification.

Thanks,

Tom

Re: HIPS to prevent windows 7 clients

Stevenjw0728 — Wed, 08 Mar 2023 22:59:15 GMT

I created an object for all versions of windows, attached it to a profile, then assigned that profile to a rule that was VPN clients to Trust networks and it took everyone down.....why? Shouldn't it just be collecting data?

Re: HIPS to prevent windows 7 clients

Stevenjw0728 — Thu, 09 Mar 2023 00:07:17 GMT

When you select OS contains Windows 7, does that cover all the editions of Windows 7?

Re: HIPS to prevent windows 7 clients

TomYoung — Thu, 09 Mar 2023 01:41:45 GMT

Hi @Stevenjw0728 ,

If you apply a HIP Profile to a security policy rule, then the clients must match the HIP Profile to match the rule. You can create the profiles 1st and check matches under Monitor > HIP Match before applying them to a policy.

I think Windows 7 will match all Windows 7 flavors. The best way to find out is create it and see who matches.

Thanks,

Tom

Re: HIPS to prevent windows 7 clients

Stevenjw0728 — Thu, 09 Mar 2023 15:32:18 GMT

if my profile was to include all windows 7, windows 10, and windows 11, why did all my traffic stop?!

Re: HIPS to prevent windows 7 clients

TomYoung — Thu, 09 Mar 2023 15:46:36 GMT

Hi @Stevenjw0728 ,

You would need to check the logic in the profile. Maybe it was a logical AND and devices can't be all 3 at the same time?

Thanks,

Tom

Re: HIPS to prevent windows 7 clients

BPry — Thu, 09 Mar 2023 15:50:58 GMT

@Stevenjw0728,

How did you build out the profile and what did you actually want it to do? If you included every OS in the profile and denied access through the security policy, the firewall did what you told it to do. If you're just trying to prevent Windows 7 clients from connecting, include only the Windows 7 HIP-Object in the associated profile and make a Deny entry. You wouldn't want to group everything together in some overarching allow entry.

As to why your traffic stop flowing, did you give any time between the creation of the HIP-Object/Profile and putting it into effect on the security rulebase at the same time? Generally speaking whenever you build out a new Object/Profile, you're going to want to validate using the HIP logs that it's actually matching clients as expected before you ever include it in a policy. That ensures that your order of operations is actually correct, and it ensures that the clients active at the moment actually have time to send the update in their next HIP report.

Re: HIPS to prevent windows 7 clients

Stevenjw0728 — Thu, 09 Mar 2023 16:21:55 GMT

Well dang it. Missed that. I thought when you add it to a profile its like "hey any of these match your good" so that was indeed the issue, radio button for AND was checked.