https://live.paloaltonetworks.com/t5/general-topics/hip-profile-monitor-only-initially/m-p/355957#M87596 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/133520">@FWPalolearner</a>,</P> <P>So the thing to remember about HIP is that it never takes any action unless you've specifically told it to. By default, HIP is just going to be informational. What you would do here is just create a HIP Object matching your criteria and commit. The HIP Match logs on the firewall will tell you which connecting clients are matching your HIP Object.&nbsp;</P> <P>If you want to quickly see what machines aren't meeting your defined HIP parameters, you could do that easily enough by creating two HIP Profiles. You would simply set it to match or NOT match your HIP Object you defined above, and then you could search for either HIP Profile in your logs.</P> <P>&nbsp;</P> <P>So for an example, lets say that I created a HIP Object called "Secured-Clients" and had it match all the criteria you defined. I would then create two HIP Profiles, with the first being "Trusted-Clients" for example that would simply match on the "Secured-Clients" HIP object you created previously. You would then create another HIP Profile called "NonTrusted-Clients" and simply have the match criteria as NOT "Secured-Clients".&nbsp;</P> <P>When it came to searching who was matching which profile, you can log into the firewall and search the HIP Match logs. To filter on the Trusted-Clients HIP Profile you would simply use the search&nbsp;<EM><STRONG>( matchname eq Trusted-Clients )</STRONG></EM><STRONG>&nbsp;</STRONG>to find everyone who meets your HIP criteria and then&nbsp;<EM><STRONG>( matchname eq NonTrusted-Clients )</STRONG></EM><STRONG>&nbsp;</STRONG>to find everyone who doesn't.</P> <P>&nbsp;</P> <P>Just keep in mind that nothing will actually take into account your HIP Profiles until you actually configure it to do so. Simply creating new HIP Objects or HIP Profiles will never cause any issues to your existing profiles.&nbsp;</P> Tue, 13 Oct 2020 01:01:21 GMT BPry 2020-10-13T01:01:21Z https://live.paloaltonetworks.com/t5/general-topics/hip-profile-monitor-only-initially/m-p/355641#M87567 <P>Hello ,</P><P>&nbsp;</P><P>We have got requirement to implement HIP profile for GP users ;&nbsp;</P><P>&nbsp;</P><P>But first we want to run it in Monitor mode without any enforcement or without blocking any users</P><P>&nbsp;</P><P>Below are the requirements&nbsp;</P><P>&nbsp;</P><TABLE><TBODY><TR><TD width="289"><P>OS</P></TD><TD width="89"><P>Windows 10&nbsp;</P></TD></TR><TR><TD width="289"><P>AV</P></TD><TD width="82"><P>Mcafee</P></TD></TR><TR><TD width="291"><P>AV updates not older than</P></TD><TD width="81"><P>5 days</P></TD></TR><TR><TD width="289"><P>Patch management</P></TD><TD width="82"><P>/</P></TD></TR><TR><TD width="289"><P>Disk encryption</P></TD><TD width="82"><P>Enabled</P></TD></TR><TR><TD width="289"><P>Firewall</P></TD><TD width="82"><P>Enabled</P></TD></TR></TBODY></TABLE><P>&nbsp;</P><P>&nbsp;</P><P>So do i just have to create HIP Object with all these conditions ?</P><P>&nbsp;</P><P>And how will i check which machines will not hit these HIP objects ?</P> Sun, 11 Oct 2020 21:23:51 GMT https://live.paloaltonetworks.com/t5/general-topics/hip-profile-monitor-only-initially/m-p/355641#M87567 FWPalolearner 2020-10-11T21:23:51Z https://live.paloaltonetworks.com/t5/general-topics/hip-profile-monitor-only-initially/m-p/355957#M87596 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/133520">@FWPalolearner</a>,</P> <P>So the thing to remember about HIP is that it never takes any action unless you've specifically told it to. By default, HIP is just going to be informational. What you would do here is just create a HIP Object matching your criteria and commit. The HIP Match logs on the firewall will tell you which connecting clients are matching your HIP Object.&nbsp;</P> <P>If you want to quickly see what machines aren't meeting your defined HIP parameters, you could do that easily enough by creating two HIP Profiles. You would simply set it to match or NOT match your HIP Object you defined above, and then you could search for either HIP Profile in your logs.</P> <P>&nbsp;</P> <P>So for an example, lets say that I created a HIP Object called "Secured-Clients" and had it match all the criteria you defined. I would then create two HIP Profiles, with the first being "Trusted-Clients" for example that would simply match on the "Secured-Clients" HIP object you created previously. You would then create another HIP Profile called "NonTrusted-Clients" and simply have the match criteria as NOT "Secured-Clients".&nbsp;</P> <P>When it came to searching who was matching which profile, you can log into the firewall and search the HIP Match logs. To filter on the Trusted-Clients HIP Profile you would simply use the search&nbsp;<EM><STRONG>( matchname eq Trusted-Clients )</STRONG></EM><STRONG>&nbsp;</STRONG>to find everyone who meets your HIP criteria and then&nbsp;<EM><STRONG>( matchname eq NonTrusted-Clients )</STRONG></EM><STRONG>&nbsp;</STRONG>to find everyone who doesn't.</P> <P>&nbsp;</P> <P>Just keep in mind that nothing will actually take into account your HIP Profiles until you actually configure it to do so. Simply creating new HIP Objects or HIP Profiles will never cause any issues to your existing profiles.&nbsp;</P> Tue, 13 Oct 2020 01:01:21 GMT https://live.paloaltonetworks.com/t5/general-topics/hip-profile-monitor-only-initially/m-p/355957#M87596 BPry 2020-10-13T01:01:21Z https://live.paloaltonetworks.com/t5/general-topics/hip-profile-monitor-only-initially/m-p/358464#M87883 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/43480">@BPry</a>&nbsp;</P><P>&nbsp;</P><P>Thanks and apolgies for getting back to you late</P><P>&nbsp;</P><P>I have configured HIP profiles but i have doubt in the syntax</P><P>I have created 4 HIP objects for checking AV , OS ,FW and Disk enc for machine in old domain . to check non compliant machines i have done below syntax for HIP profile</P><P>&nbsp;</P><P>(not "GP-Internal-AV" or not "GP-Internal-OS" or not "GP-Internal-FW" or not "GP-Internal-DiskEncryption" ) and "GP-Internal-Domain-old"</P><P>&nbsp;</P><P>or do i have to put parantheseis like below</P><P>((not "GP-Internal-AV" )or (not "GP-Internal-OS") or (not "GP-Internal-FW" )or (not "GP-Internal-DiskEncryption" ) )and "GP-Internal-Domain-old"</P><P>&nbsp;</P><P>Similarly for external machines i have below</P><P>(not "GP-External-AV" or not "GP-External-OS" or not "GP-External-FW" or not "GP-External-DiskEncryption" ) and (not "GP-Internal-Domain-Old" )</P><P>&nbsp;</P><P>or the syntax should be ?</P><P>((not "GP-External-AV") or (not "GP-External-OS") or (not "GP-External-FW") or (not "GP-External-DiskEncryption" )) and (not "GP-Internal-Domain-New" )</P><P>&nbsp;</P><P>i am confused by paranthesis</P> Fri, 23 Oct 2020 13:29:42 GMT https://live.paloaltonetworks.com/t5/general-topics/hip-profile-monitor-only-initially/m-p/358464#M87883 FWPalolearner 2020-10-23T13:29:42Z https://live.paloaltonetworks.com/t5/general-topics/hip-profile-monitor-only-initially/m-p/358623#M87902 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/133520">@FWPalolearner</a>,</P> <P>The syntax for this is a little weird. You don't actually need to include brackets around things you don't want to group. So in your first example, the syntax that I would use would be:</P> <P><SPAN>not ("GP-Internal-AV" or&nbsp; "GP-Internal-OS" or&nbsp; "GP-Internal-FW" or "GP-Internal-DiskEncryption" ) and "GP-Internal-Domain-old"</SPAN></P> <P>&nbsp;</P> <P><SPAN>Likewise your second example I would use:</SPAN></P> <P><SPAN>not ("GP-External-AV" or "GP-External-OS" or "GP-External-FW" or "GP-External-DiskEncryption" ) and not "GP-Internal-Domain-Old"</SPAN></P> Sat, 24 Oct 2020 17:19:57 GMT https://live.paloaltonetworks.com/t5/general-topics/hip-profile-monitor-only-initially/m-p/358623#M87902 BPry 2020-10-24T17:19:57Z https://live.paloaltonetworks.com/t5/general-topics/hip-profile-monitor-only-initially/m-p/359882#M88023 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/43480">@BPry</a>&nbsp; Thanks . this works . Thanks for your help as always <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Fri, 30 Oct 2020 11:35:13 GMT https://live.paloaltonetworks.com/t5/general-topics/hip-profile-monitor-only-initially/m-p/359882#M88023 FWPalolearner 2020-10-30T11:35:13Z