How to Configure GlobalProtect for Custom Registry Check on Windows

About this example and scope of this article

• The Palo Alto Networks firewall used in this example is running PAN-OS 7.1.5, GlobalProtect 3.1.3. Similar method can be used in the newer PAN-OS versions.
• This article does not cover the full configuration of GlobalProtect, but covers only configuring the firewall and the client to check for registries, assuming you already have GlobalProtect configured and connecting fine. For configuring Global Protect, you can refer Here.
• GlobalProtect licence is required for using this feature

Part1: Configuring GlobalProtect to check for registries

1. Go to the Windows machine where the registry exists. In this example, we will be checking the following registry, the information used in the firewall configuration is highlighted:

2. Then, in the firewall GUI, go to Network > GlobalProtect > Portals.  Click on the desired Portal, and go to the Agent tab, click on the desired Config:

3. Go to Data Collection tab, click on Custom Checks tab, click on Windows, and then click on Add:

4. In the Regirstry Key window, fill in the registry key information, and click OK:

5. Now we are done with the Portal configuration, go to Objects > GlobalProtect > HIP Objects, and click on Add. In the General tab, give the object a name:

6. Go to Custom Checks tab, check Custom Checks, go to Registry Key tab, and click on Add:

7. In the next window, enter the Registry Key, and click on Add to fill in the values:

Note: When you have multiple registry keys specified in the Objects > Hip Objects > Custom Checks > Registry Key tab, as long as one of the registry checks passes, it would be considered a HIP match. The registry keys work with an 'OR' logic.

8. Now, go to Objects > GlobalProtect > HIP Profiles, and click on Add. Give it a name and Add the Object created earlier:

Part 2: Verification:

1. Once the Client is Connected to the Portal, The entry is seen in the Host State tab:

2. Also, in the firewall GUI, go to Monitor > Logs > HIP Match. You will see a log for matching the configured registry:

log details gives the detailed info

3. HIP report information can also be obtained through the CLI:

admin@PA-VM(active)> debug user-id dump hip-profile-database entry 

Total number of hipmask in database: 2
Total number of logout records in database: 13
Total size of hip reports: 1050KB used / 163840KB
 Entry : 1
 User : hzayed
 Computer : HZAYED-WIN7
 IP : 192.168.100.1
 TTL : 9957
 VSYS : vsys1
 MD5 : cc75bc57a42c1365ffc18149e42db26
 Mobile ID : 
 MDM MD5 : 
 Last Checkin Time : 
 Jail Broken : 0

1-1 records shown


admin@PA-VM(active)> debug user-id dump hip-report computer HZAYED-WIN7 user hzayed ip 192.168.100.1

<?xml version="1.0" encoding="UTF-8"?>
<hip-report>
 <md5-sum>cc75bc57a42c1365ffc18149e42db26</md5-sum>
 <user-name>hzayed</user-name>
 <domain></domain>
 <host-name>HZAYED-WIN7</host-name>
 <host-id>0892c1cb-26ae-4467-8fa1-cf3fd818a918</host-id>
 <ip-address>192.168.100.1</ip-address>
 <generate-time>11/03/2016 09:36:59</generate-time>
.
.
[SNIP]
.
.
 <custom-checks>
 <registry-key>
 <entry name="HKEY_LOCAL_MACHINE\SOFTWARE\Intel\PSIS\PSIS_DECODER">
 <exist>yes</exist>
 <value></value>
 <registry-value>
 <entry name="GraphFile">
 <exist>yes</exist>
 <value>\\psistest.grf</value>
 </entry>
 </registry-value>
 </registry-key>
 </custom-checks>
</hip-report>

Once verified that the user is matching the HIP profile, you can configure specific Security Rules matching this profile: