Defining patch management in HIP objects.

Reply
Highlighted
L4 Transporter

Defining patch management in HIP objects.

Hi All,

We are configuring global protect with HIP enabled.

Our requirement is, If the patch defined in the HIP object is missing in client machine then access should be denied. Below screen shows the patches (windows updates) for windows 7 machine.

From above snap i want to use the highlighted update as match in HIP object (If this update is missing in client machine then deny the access), what should i enter in "patch" area in below given snap.

If possible kindly provide more information on this patch management tab.

Regards,

Gururaj

Highlighted
L5 Sessionator

Hello Gururaj,

The "Patches" section, checks for the pathces that are missing. In other words, If we include "Security Update for Microsoft Windows (KB2778344)", under the Patches configuration, the gateway checks if this Patch is missing or not.

The GP clients also reports about the patches, in the same manner, as shown below:

HIP-Patch.JPG

So, you have configured it correctly. Page 34 of the global protect tech note discusses the same:

https://live.paloaltonetworks.com/servlet/JiveServlet/previewBody/2020-102-19-14175/GlobalProtect-Co...

You can also add the Microsoft Windows Update Agent and Microsoft Windows Automatic Update, to the Patch management settings.

HIP-Patch-2.JPG

Best regards,

Karthik

Highlighted
L4 Transporter

Hi Karthik,

Thanks for the information,

I want to deny access if "Security Update for Microsoft Windows (KB2778344)" patch is missing in client machine. How to proceed?

Regards,

Gururaj

Highlighted
L5 Sessionator

So create a HIP object to match if the patch "Security Update for Microsoft Windows (KB2778344)" is missing, like the way you have created on your firewall. Apply this HIP object to a HIP profile, and use this profile under the gateway. Also create a new policy with this HIP-profile and deny the traffic

missing-patch.JPG

missing-patch-2.JPG

missing patch3.JPG

missing-patch-3.JPG

BR,

Karthik

Highlighted
L4 Transporter

Hi Karthik,

I created object by mentioning patch "Security Update for Microsoft Windows (KB2778344)" in patch field (Check - Has any) and created HIP profile too. Applied the profile in security policy and defined action as "deny"  (means if the mentioned patch is missing in client machine, then deny access).  And  I tried with the machine in which the patch "Security Update for Microsoft Windows (KB2778344)" was there. and the access was allowed(expected).


Again i entered "XXBGH"  (which is not a patch) in patch field and tried with same machine to connect to gateway, connected and also i was able to access trust network but access has to be denied as "XXBGH" patch was not there in the machine (which is not a patch)

I am so confused about this, plz i need your help to understand this better. And also let me know the meaning of field "check- has any, has none & has all. You have uploaded "Host state" snap in which missing patches are shown, How it will identify that those patches are missing.?


Regards,

Guru


Highlighted
L5 Sessionator

"Has any": check if any of the patches specified are missing

"Has none" : exclude check for the specified missing patches.

"Has all", checks if all the Patches are missing.

the GP client has a library which can scan the machine for the current Windows patch status, and thats how it finds out which patches that are missing. And it relays this information to the gateways.

Plus, if the HIP check is not hitting the correct policy, please verify if the entire certificate chain is included under Trusted Root CA section of portal config, when not using a self signed certificate.

https://live.paloaltonetworks.com/docs/DOC-5492

Best regards,

Karthik RP

L5 Sessionator

Hello Gururaj,

If your requirement is 'Deny the access if the required patch is not available' please disable 'Is Installed' under Patch Management of HIP object and under security policy deny the access.

Regards,

Hari Yadavalli

Highlighted
L4 Transporter

Hi Hari,

Unchecked "is installed" but still facing problem. If i enter anything in patch field it is considering as installed on client machine. I will explain you our requirement once again, I will specify "YYYYY"  in patch field, if this patch is not found in client machine, then access should be blocked.

Regards,

Gururaj

Highlighted
L4 Transporter

Hi Prakash,

We are using self signed certificate. I will explain you our requirement once again, I will specify "YYYYY"  in patch field, if this patch is not found in client machine, then access should be blocked.

Regards,

Gururaj

Highlighted
L4 Transporter

thank you,..

I opened the case for this, got reply that there is bug in identifying missing patches in all PAN-OS versions and they have said this will be fixed in next PAN-OS release 6.0 which can be expected on December.

Regards,

Gururaj

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!