HIP Checks for Browser Version

Reply
L3 Networker

HIP Checks for Browser Version

I have a customer that would like to limit GP authentication based upon browser version running on the clients.  They would like to collect all browser versions and then start blocking connections from clients below minimum settings.

 

Trying to figure out how to do this but not seeing any straightforward method to collect all web browser versions.

 

Any thoughts?


*Please like or mark as solution if the answer is helpful!*
Tags (3)
L7 Applicator

Re: HIP Checks for Browser Version

Hello,

Sounds like A custom HIP check is your best option.

Capture.JPG

L6 Presenter

Re: HIP Checks for Browser Version

You can also prevent users from connecting to portals by using a custom check in the portal config.

 

i prefer @OtakarKlier suggestion of a custom check as you will be able to log the various versions and deny or accept access accordingly.

 

try using HKLM/software/microsoft/internet explorer/svcVersion

L3 Networker

Re: HIP Checks for Browser Version

Thanks for the replies but these steps aren't really getting me to what I need.

When I do the custom check all it says is whether or not the browser exists or is installed on the system.

That registry key shows the value, but the PAN won't just grab the value, it will only try to match on it.

Am I missing something?

Customer also has requested similar functionality around Java versions.  This seems like a reasonable request but can't find any way of doing it.

 

Any other thoughts?


*Please like or mark as solution if the answer is helpful!*
L6 Presenter

Re: HIP Checks for Browser Version

You need to build hip objects based on your custom search.

you then need to add hip profiles for your hip objects.

 

you can then build security policies to allow or deny traffic flow based on hip profiles.

 

you can also send pop up windows to tell users why they are denied access.

 

 

 

 

 

L3 Networker

Re: HIP Checks for Browser Version

I still don't see any way of using these methods to evaluate whether browser or java versions would be up to date.  Especially since the registry key only offers an exact match of a specic value this whole process seems limited.

 

Only thing I think could be done is to create dozens of HIP checks matching every single version released and constantly update the firewall every time a new version is released.  This sounds completely unrealistic.

 

I would like t a way to do this like the patching or antivirus options which let you say if my patches are out of date for X days I match the Av out of date HIP object.  There's no way to say if my version of Java is horribly out of date and I am vulnerable to exploits not to allow a connection?


*Please like or mark as solution if the answer is helpful!*
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!