https://live.paloaltonetworks.com/t5/globalprotect-discussions/hip-check-patch-management/m-p/615608#M6035 <P>Hi, not sure if you ever achieved this but you're on the right track. One must first create the hip object and then the hip profile to include the hip object. The hip profile is the one that should be assigned to the security rule where you want the check to occur. Since you mentioned antimalware and firewall are already working correctly, I assume the "HIP data collection" is already turned on in your portal agent config. All you must be missing is a "deny" rule with the hip profile for the patch management criteria.<BR />For example, if we are looking for any missing patches with severity 3 or greater, create the HIP object as pictured and the HIP profile with the HIP object. Then place the HIP profile under source device for the specific security rule which allows users onto your vpn.&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="YvetteParra_0-1730220764546.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/63644iCEB267ACC2BC77B5/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="YvetteParra_0-1730220764546.png" alt="YvetteParra_0-1730220764546.png" /></span></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="YvetteParra_2-1730221350155.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/63646i3DFE105F26E12DC3/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="YvetteParra_2-1730221350155.png" alt="YvetteParra_2-1730221350155.png" /></span><BR />detailed steps here: <A href="https://docs.paloaltonetworks.com/globalprotect/10-1/globalprotect-admin/host-information/configure-hip-based-policy-enforcement" target="_blank">https://docs.paloaltonetworks.com/globalprotect/10-1/globalprotect-admin/host-information/configure-hip-based-policy-enforcement</A></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Tue, 29 Oct 2024 17:06:04 GMT YvetteParra 2024-10-29T17:06:04Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/hip-check-patch-management/m-p/449066#M2166 <P>Hello, I am trying to setup a HIP Profile for contractors accessing our network over Global Protect.<BR />This HIP Profile is checking if version of Windows is supported(allowing only 8.1 and 10), then checking if Anti-Malware and Firewall is enabled and as a last check I want to check if Windows patches are up to date.<BR />Checks for OS, Anti-Malware and Firewall are working fine but I am struggling with Patch-Management check.</P><P>On Global Protect Client on my not-updated test computer I can see that I am missing 3 patches. Two of them are of severity 2 and one is severity -1.</P><P class=""><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="hip check.PNG" style="width: 751px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/37776i00A4236A315E1821/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="hip check.PNG" alt="hip check.PNG" /></span></P><P class="">I was trying several combinations like the on on picture, on Patch Management HIP object tab but without success.</P><P class=""><SPAN><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="hip object.PNG" style="width: 577px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/37777i25A7B9F8BE63209D/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="hip object.PNG" alt="hip object.PNG" /></span></SPAN></P><P>I want to achive that this HIP Profile will only allow user if there are no severity 2 or 3 Patches missing. What I need to set-up on Patch management tab to do so?</P><P>Thanks for any hint or help.</P> Tue, 23 Nov 2021 09:56:06 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/hip-check-patch-management/m-p/449066#M2166 Henley 2021-11-23T09:56:06Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/hip-check-patch-management/m-p/527445#M3595 <P>shot in the dark here since this is 15 months old. but did you ever happen to get this figured out?</P> Tue, 17 Jan 2023 19:13:13 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/hip-check-patch-management/m-p/527445#M3595 wcoulson 2023-01-17T19:13:13Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/hip-check-patch-management/m-p/589081#M5439 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/117117">@Henley</a>&nbsp;were you able to achieve this?</P> Fri, 07 Jun 2024 16:03:20 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/hip-check-patch-management/m-p/589081#M5439 SaiKiranS 2024-06-07T16:03:20Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/hip-check-patch-management/m-p/615608#M6035 <P>Hi, not sure if you ever achieved this but you're on the right track. One must first create the hip object and then the hip profile to include the hip object. The hip profile is the one that should be assigned to the security rule where you want the check to occur. Since you mentioned antimalware and firewall are already working correctly, I assume the "HIP data collection" is already turned on in your portal agent config. All you must be missing is a "deny" rule with the hip profile for the patch management criteria.<BR />For example, if we are looking for any missing patches with severity 3 or greater, create the HIP object as pictured and the HIP profile with the HIP object. Then place the HIP profile under source device for the specific security rule which allows users onto your vpn.&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="YvetteParra_0-1730220764546.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/63644iCEB267ACC2BC77B5/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="YvetteParra_0-1730220764546.png" alt="YvetteParra_0-1730220764546.png" /></span></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="YvetteParra_2-1730221350155.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/63646i3DFE105F26E12DC3/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="YvetteParra_2-1730221350155.png" alt="YvetteParra_2-1730221350155.png" /></span><BR />detailed steps here: <A href="https://docs.paloaltonetworks.com/globalprotect/10-1/globalprotect-admin/host-information/configure-hip-based-policy-enforcement" target="_blank">https://docs.paloaltonetworks.com/globalprotect/10-1/globalprotect-admin/host-information/configure-hip-based-policy-enforcement</A></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Tue, 29 Oct 2024 17:06:04 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/hip-check-patch-management/m-p/615608#M6035 YvetteParra 2024-10-29T17:06:04Z