topic Re: PALOALTO NGFW HIP in Next-Generation Firewall Discussions

PALOALTO NGFW HIP

OrkhanM — Mon, 04 Aug 2025 13:09:51 GMT

Hi,
I need help with configuring Host Information Profiles (HIP) using device attributes such as MAC address, serial number, or host ID. When creating a HIP object with these attributes, where should I add the list of devices so they are recognized by the firewall?
Thanks,

Re: PALOALTO NGFW HIP

BPry — Mon, 04 Aug 2025 15:01:20 GMT

@OrkhanM,

I would generally telling most people that this isn't the path that you want to go down from a management aspect. It would be easier to manage if you started (or have) serial numbers assigned and use an LDAP server profile to be able to utilize the 'Managed' option to verify that the serial number is present in AD.

This will allow the firewall to pull the list of serial numbers from active directory by looking at the computer objects and the serialNumber attribute to validate whether or not a computer is actually present in AD or not.

If you can't do that for some reason, you'll ideally have automation in place to create individual HIP objects for each entry that you want to allow and then utilize a profile to group all of the individual objects. I don't believe that you can match multiple different strings with a single object, so unless you can make them all fit with a Contains operator (which effectively would only allow a single manufacturer and doesn't actually prevent much) you're going to need to utilize a profile to group all of the individual objects which doesn't really scale.

Re: PALOALTO NGFW HIP

OrkhanM — Mon, 04 Aug 2025 17:57:21 GMT

The point is that I don’t want this for a domain environment. The devices I want to apply HIP to are only non-domain devices, such as mobile devices (e.g., Android/iOS).

On some of these, it’s possible to enable AV check for HIP, but on others (e.g., Android and iOS devices), HIP data does not return any information related to AV check. For this reason, for such devices, I can perform HIP checks using MAC/Serial Number/Host ID + CACert check.

I’m just stuck on where exactly I should add the list of devices (i.e., MAC or Serial Number or Host ID).

Re: PALOALTO NGFW HIP

BPry — Tue, 05 Aug 2025 13:56:17 GMT

@OrkhanM,

Assuming that you do not have an MDM?

You would need to do what I've described above, each endpoint that you wish to allow will need to be an individual HIP object, you will then need to group them into a HIP Profile and use it as needed (remember that profiles can be used as matching criteria in other profiles).

To keep the administration aspect of this lower, I would look into automating this as much as possible. When I've needed to do this in the past I had built out automation to take a source file and templated the creation of HIP Objects and the Profiles that were in use for those devices to account for new devices. That isn't something that the firewall can do natively however, so you either live with the administration overhead or automate it away.

Re: PALOALTO NGFW HIP

OrkhanM — Mon, 08 Sep 2025 06:54:55 GMT

Thanks for helping.