topic Re: HIP Notification question in General Topics

HIP Notification question

Ben-Price — Wed, 24 Nov 2021 05:00:28 GMT

Hi,

A question regarding HIP notifications.

I have enabled HIP notifications for GP clients connecting in and they trigger when a violation of the HIP profile is detected e.g. firewall turned off, but just wanted to clarify something in the Palo documentation.

Palo documentation below seems to indicate that the HIP profile needs to be attached to a security policy rule before the HIP notification is triggered, but it seems to trigger correctly whether it is attached to a security policy rule or not. I have tried 'any' and 'no-hip' in the source device section of a security policy rule and it seems to trigger either way.

Any clarification on the Palo documentation would be appreciated?

Thanks in advance.

Re: HIP Notification question

Ben-Price — Mon, 29 Nov 2021 05:58:36 GMT

Update here:

Reading some additional documentation, it does seem to indicate that the HIP notification message is displayed when HIP data is sent to the GP gateway from the GP client upon connection, and a defined HIP profile is matched or not matched (depending on your config). The HIP profile is then enforced when it is attached to a security policy rule (allow or deny).

I have attached a few articles for you to review.

How do users know if their systems are compliant

https://docs.paloaltonetworks.com/globalprotect/9-0/globalprotect-admin/host-information/about-host-information/how-do-users-know-if-their-systems-are-compliant.html

Leveraging Host Information profiles

https://live.paloaltonetworks.com/t5/blogs/leveraging-host-information-profile-hip/ba-p/291126

Configure HIP-Based policy enforcement

https://docs.paloaltonetworks.com/globalprotect/9-0/globalprotect-admin/host-information/configure-hip-based-policy-enforcement.html#id168afbfe-e152-461e-8c0b-4a463685c401

@BPry @reaper could you clarify or confirm the above

Re: HIP Notification question

BPry — Mon, 29 Nov 2021 06:06:00 GMT

@Ben-Price,

So HIP Notifications themselves would trigger when the matching HIP Profile is matched as you've configured. When you include the HIP Profile as a condition in the security policy it's used as matching criteria (IE: It would only match if the specified HIP Profile is triggered on the endpoint in question). These both utilize HIP Profiles to function, but they perform different functions. You don't have to use a HIP Profile in a security policy to use it as a HIP Notification match.

Re: HIP Notification question

Ben-Price — Mon, 29 Nov 2021 06:15:35 GMT

@BPry Thanks for the feedback.

Is there a way of implementing the below scenario.

Scenario:

We have a “Staff” Global Protect client profile and a “Contractor” Global Protect client profile. HIP checks (Device Compliance) for Staff and Contractor will obviously be different.

How can we perform HIP notifications that are relevant to the client profile being used.

Eg. We don’t want to notify when a “contractor’s” device is not Active directory domain joined because we don’t expect it to be domain joined (Contractors have much less access than Staff). But we do want to notify Staff if their device is not domain joined (Staff profile provide mores access therefore, more compliance is required)

Re: HIP Notification question

BPry — Mon, 29 Nov 2021 06:25:11 GMT

@Ben-Price,

Since this is done at the Gateway level the easiest way would be to just create two separate gateways. One gateway for your "Staff" clients and another for the "Contractor" clients. You would just direct access to the proper gateway via the Portal agent configurations if you didn't want to create a completely separate Portal for your contractors.

Re: HIP Notification question

Ben-Price — Mon, 29 Nov 2021 22:27:17 GMT

@BPry OK. A few further questions:

Are the HIP profiles evaluated in a top down order?

Does a client have to match all the requirements of a HIP profile for the notification to trigger e.g. if 2 profiles require firewall to be on, but have other different attributes like anti-virus requirements. Does the client match the first HIP profile in the list or does it have to match all attributes of the HIP profile?

Will a HIP notification trigger when an endpoint tries to send traffic through a security policy rule that has a HIP profile assigned or does the notification only trigger when the client connects?

Re: HIP Notification question

BPry — Tue, 30 Nov 2021 02:09:35 GMT

Are the HIP profiles evaluated in a top down order?

I'm not exactly sure what you are asking here. The HIP Profiles are just a collection of matching HIP Objects that you've specified, so as long as the client matches all of the HIP Objects in the HIP Profile it'll "match" the HIP Profile. All of this is done at exactly the same time, so there's no top/down matching from a HIP aspect. If I have multiple profiles that a client all matches, every matching profile will match for that client.

Hopefully that makes sense.

You may be interchanging HIP Profile when you're talking about HIP Objects? A HIP Profile is only matched when all of it's match criteria is matched. So if I built out a HIP Profile ("Issued-Win10-Device") that said to match on my "Supported-Win10-Build" HIP Object and "Issued-Device" HIP Object, only clients matching on the "Supported-Win10-Build" and "Issued-Device" HIP Objects would match my "Issued-Win10-Device" profile. If you only matched one object or the other it wouldn't match the profile.

Will a HIP notification trigger when an endpoint tries to send traffic through a security policy rule that has a HIP profile assigned or does the notification only trigger when the client connects?

The actual HIP Notification will only trigger when the client connects. It won't re-trigger every time it hits a security policy that includes the HIP Profile as matching criteria. These two features are independent of each other

Re: HIP Notification question

Ben-Price — Tue, 30 Nov 2021 06:25:08 GMT

Awesome thanks @BPry that has cleared things up.