DotW: HIP checks for missing patches for multiple vendors on one gateway

DotW: HIP checks for missing patches for multiple vendors on one gateway

24994
Created On 09/25/18 19:03 PM - Last Modified 06/06/23 02:52 AM


Resolution


In this week's Discussion of the Week (DotW), we're featuring a discussion entry shared by one of our partners that looks into some HIP issues, the workaround to a few challenges, and a great solution to share with the Community at large!

 

Our partner @DonohoeRobert shares his experience.

 

RDonohoe

 

 

 

 

Hi All, 

 

Recently worked an issue where the user wanted HIP alerts displayed for users if they are missing iOS, Apple or Windows patch updates. There is sometimes some confusion about the match / not match messages, and there is a known issue with HIP checks on Macs. Hopefully, the information presented here clears up some of this. I've also generated a workaround for the MacBook check. 

 

Objective

Alert users of iOS, MacBook and Windows devices if they are not on the latest patch of Windows updates or Apple software.

 

Known issue with missing patches HIP check on a Mac

77018   Global Protect agent fails to report missing patches on devices running on Mac OS.

Workaround: Specify the latest version of OS and manually type in the missing number, if applicable, and check for this.

 

Steps

I got the desired results following the instructions and guidelines and gathered screenshots as I went.

 

HIP objects

First, create HIP objects to check. I created one for the device explicitly, then one to see if all patches are installed [Windows], and if the latest release of iOS [iPhone] and the latest release [10.11.3] on the MacBook are installed.

 

hip-objects.png

 

Initially, MacBook OS 10.11.3 was not on the list, so I selected version 10.11 and added the .3, and the Palo Alto Networks device accepted this. Due to the known issue, instead of checking for missing patches the conventional way, I checked the OS release of the MacBook, which is effectively the patches and security fixes Apple rolls out, whereas Windows patches are slightly different.

 

mac-version.png

 

 

HIP Profiles

I set up the three conditions below, then created a forth condition that asks if any of the three checks above are true.

 

 

hip-profiles.png

 

Gateway alert

 

We put 'if any is true' into the alert on the gateway. Again this will alert if an iOS, MacBook, or Windows device doesn’t have the latest release of code or latest Windows updates.

 

I verified with testing. You have to adjust the match / not match statements to match.   

 

For example, you need to just have the one HIP alert that checks if any device is missing the updates link below.

 

 

alert.png

 

Matched message – a device has connected that is an iOS, Mac or Windows device that does not have the latest code or all the security patches.

 

Not matched message is null and not enabled.

 

 

alert2.png

 

 

The above will alert users if they connect on an iOS device, Windows device, or MacBook if not on the latest patch. The workaround is valid only as long as the latest Mac OS is 10.11.3. 

 

Hope this helps.

 

Regards,

 

Robert D 

 

 

 I hope you enjoyed this as much as we did!

 

 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClTnCAK&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language