Defining patch management in HIP objects.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Defining patch management in HIP objects.

L4 Transporter

Hi All,

We are configuring global protect with HIP enabled.

Our requirement is, If the patch defined in the HIP object is missing in client machine then access should be denied. Below screen shows the patches (windows updates) for windows 7 machine.

From above snap i want to use the highlighted update as match in HIP object (If this update is missing in client machine then deny the access), what should i enter in "patch" area in below given snap.

If possible kindly provide more information on this patch management tab.

Regards,

Gururaj

11 REPLIES 11

L5 Sessionator

Hello Gururaj,

The "Patches" section, checks for the pathces that are missing. In other words, If we include "Security Update for Microsoft Windows (KB2778344)", under the Patches configuration, the gateway checks if this Patch is missing or not.

The GP clients also reports about the patches, in the same manner, as shown below:

HIP-Patch.JPG

So, you have configured it correctly. Page 34 of the global protect tech note discusses the same:

https://live.paloaltonetworks.com/servlet/JiveServlet/previewBody/2020-102-19-14175/GlobalProtect-Co...

You can also add the Microsoft Windows Update Agent and Microsoft Windows Automatic Update, to the Patch management settings.

HIP-Patch-2.JPG

Best regards,

Karthik

Hi Karthik,

Thanks for the information,

I want to deny access if "Security Update for Microsoft Windows (KB2778344)" patch is missing in client machine. How to proceed?

Regards,

Gururaj

So create a HIP object to match if the patch "Security Update for Microsoft Windows (KB2778344)" is missing, like the way you have created on your firewall. Apply this HIP object to a HIP profile, and use this profile under the gateway. Also create a new policy with this HIP-profile and deny the traffic

missing-patch.JPG

missing-patch-2.JPG

missing patch3.JPG

missing-patch-3.JPG

BR,

Karthik

L4 Transporter

Hi Karthik,

I created object by mentioning patch "Security Update for Microsoft Windows (KB2778344)" in patch field (Check - Has any) and created HIP profile too. Applied the profile in security policy and defined action as "deny"  (means if the mentioned patch is missing in client machine, then deny access).  And  I tried with the machine in which the patch "Security Update for Microsoft Windows (KB2778344)" was there. and the access was allowed(expected).


Again i entered "XXBGH"  (which is not a patch) in patch field and tried with same machine to connect to gateway, connected and also i was able to access trust network but access has to be denied as "XXBGH" patch was not there in the machine (which is not a patch)

I am so confused about this, plz i need your help to understand this better. And also let me know the meaning of field "check- has any, has none & has all. You have uploaded "Host state" snap in which missing patches are shown, How it will identify that those patches are missing.?


Regards,

Guru


"Has any": check if any of the patches specified are missing

"Has none" : exclude check for the specified missing patches.

"Has all", checks if all the Patches are missing.

the GP client has a library which can scan the machine for the current Windows patch status, and thats how it finds out which patches that are missing. And it relays this information to the gateways.

Plus, if the HIP check is not hitting the correct policy, please verify if the entire certificate chain is included under Trusted Root CA section of portal config, when not using a self signed certificate.

https://live.paloaltonetworks.com/docs/DOC-5492

Best regards,

Karthik RP

L5 Sessionator

Hello Gururaj,

If your requirement is 'Deny the access if the required patch is not available' please disable 'Is Installed' under Patch Management of HIP object and under security policy deny the access.

Regards,

Hari Yadavalli

Hi Hari,

Unchecked "is installed" but still facing problem. If i enter anything in patch field it is considering as installed on client machine. I will explain you our requirement once again, I will specify "YYYYY"  in patch field, if this patch is not found in client machine, then access should be blocked.

Regards,

Gururaj

Hi Prakash,

We are using self signed certificate. I will explain you our requirement once again, I will specify "YYYYY"  in patch field, if this patch is not found in client machine, then access should be blocked.

Regards,

Gururaj

L4 Transporter

thank you,..

I opened the case for this, got reply that there is bug in identifying missing patches in all PAN-OS versions and they have said this will be fixed in next PAN-OS release 6.0 which can be expected on December.

Regards,

Gururaj

Hello Gururaj,

I understand that you are trying to find out if a patch is missing on your GP Client host machine.

The way that PAN Firewalls are matching the missing patches is by the identifier.

In your example you mentioned the Microsoft Security update "Security Update for Microsoft Windows (KB2778344)"

To match this particular patch you need to reference it by the KB Identifier.

When GP agent is sending the missing patch data to the GP Gateway it's sending the following details in an XML parsing format :

<title>Security Update for Windows 7 (KB2778344)</title>

                                        <description>A security issue has been identified that could allow an unauthenticated remote attacker to compromise your system and gain access to information. You can help                                    protect your system by installing this update from Microsoft. After you install this update, you may have to restart your system.</description>

                                        <product>Windows 7</product>

                                        <vendor>Microsoft Corporation</vendor>

                                        <info-url>http://go.microsoft.com/fwlink/?LinkId=273872</info-url>

                                        <kb-article-id>2778344</kb-article-id>

                                        <security-bulletin-id>MS13-006</security-bulletin-id>

                                        <severity>2</severity>

                                        <category>0</category>

                                        <is-installed>no</is-installed>

                                </entry>

To match this in a HIP object use the data inside the <kb-article-id> field .  That would be 2778344.

Hope this answers your question.

L1 Bithead

I want to check if we can block connections if a device is missing critical patch (released May 2024) or any other critical patches within the last n months (where n is a user-defined timeframe).

Can this be achieved with HIP configuration?

  • 7922 Views
  • 11 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!