- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
08-14-2013 02:08 AM
Hi All,
We are configuring global protect with HIP enabled.
Our requirement is, If the patch defined in the HIP object is missing in client machine then access should be denied. Below screen shows the patches (windows updates) for windows 7 machine.
From above snap i want to use the highlighted update as match in HIP object (If this update is missing in client machine then deny the access), what should i enter in "patch" area in below given snap.
If possible kindly provide more information on this patch management tab.
Regards,
Gururaj
08-14-2013 06:34 AM
Hello Gururaj,
The "Patches" section, checks for the pathces that are missing. In other words, If we include "Security Update for Microsoft Windows (KB2778344)", under the Patches configuration, the gateway checks if this Patch is missing or not.
The GP clients also reports about the patches, in the same manner, as shown below:
So, you have configured it correctly. Page 34 of the global protect tech note discusses the same:
You can also add the Microsoft Windows Update Agent and Microsoft Windows Automatic Update, to the Patch management settings.
Best regards,
Karthik
08-15-2013 07:28 AM
Hi Karthik,
Thanks for the information,
I want to deny access if "Security Update for Microsoft Windows (KB2778344)" patch is missing in client machine. How to proceed?
Regards,
Gururaj
08-15-2013 08:06 AM
So create a HIP object to match if the patch "Security Update for Microsoft Windows (KB2778344)" is missing, like the way you have created on your firewall. Apply this HIP object to a HIP profile, and use this profile under the gateway. Also create a new policy with this HIP-profile and deny the traffic
BR,
Karthik
08-16-2013 09:00 AM
Hi Karthik,
I created object by mentioning patch "Security Update for Microsoft Windows (KB2778344)" in patch field (Check - Has any) and created HIP profile too. Applied the profile in security policy and defined action as "deny" (means if the mentioned patch is missing in client machine, then deny access). And I tried with the machine in which the patch "Security Update for Microsoft Windows (KB2778344)" was there. and the access was allowed(expected).
Again i entered "XXBGH" (which is not a patch) in patch field and tried with same machine to connect to gateway, connected and also i was able to access trust network but access has to be denied as "XXBGH" patch was not there in the machine (which is not a patch).
I am so confused about this, plz i need your help to understand this better. And also let me know the meaning of field "check- has any, has none & has all. You have uploaded "Host state" snap in which missing patches are shown, How it will identify that those patches are missing.?
Regards,
Guru
08-16-2013 12:35 PM
"Has any": check if any of the patches specified are missing
"Has none" : exclude check for the specified missing patches.
"Has all", checks if all the Patches are missing.
the GP client has a library which can scan the machine for the current Windows patch status, and thats how it finds out which patches that are missing. And it relays this information to the gateways.
Plus, if the HIP check is not hitting the correct policy, please verify if the entire certificate chain is included under Trusted Root CA section of portal config, when not using a self signed certificate.
https://live.paloaltonetworks.com/docs/DOC-5492
Best regards,
Karthik RP
08-17-2013 08:35 AM
Hello Gururaj,
If your requirement is 'Deny the access if the required patch is not available' please disable 'Is Installed' under Patch Management of HIP object and under security policy deny the access.
Regards,
Hari Yadavalli
08-19-2013 09:45 PM
Hi Hari,
Unchecked "is installed" but still facing problem. If i enter anything in patch field it is considering as installed on client machine. I will explain you our requirement once again, I will specify "YYYYY" in patch field, if this patch is not found in client machine, then access should be blocked.
Regards,
Gururaj
08-19-2013 09:51 PM
Hi Prakash,
We are using self signed certificate. I will explain you our requirement once again, I will specify "YYYYY" in patch field, if this patch is not found in client machine, then access should be blocked.
Regards,
Gururaj
09-09-2013 09:35 PM
thank you,..
I opened the case for this, got reply that there is bug in identifying missing patches in all PAN-OS versions and they have said this will be fixed in next PAN-OS release 6.0 which can be expected on December.
Regards,
Gururaj
10-15-2013 07:58 AM
Hello Gururaj,
I understand that you are trying to find out if a patch is missing on your GP Client host machine.
The way that PAN Firewalls are matching the missing patches is by the identifier.
In your example you mentioned the Microsoft Security update "Security Update for Microsoft Windows (KB2778344)"
To match this particular patch you need to reference it by the KB Identifier.
When GP agent is sending the missing patch data to the GP Gateway it's sending the following details in an XML parsing format :
<title>Security Update for Windows 7 (KB2778344)</title>
<description>A security issue has been identified that could allow an unauthenticated remote attacker to compromise your system and gain access to information. You can help protect your system by installing this update from Microsoft. After you install this update, you may have to restart your system.</description>
<product>Windows 7</product>
<vendor>Microsoft Corporation</vendor>
<info-url>http://go.microsoft.com/fwlink/?LinkId=273872</info-url>
<kb-article-id>2778344</kb-article-id>
<security-bulletin-id>MS13-006</security-bulletin-id>
<severity>2</severity>
<category>0</category>
<is-installed>no</is-installed>
</entry>
To match this in a HIP object use the data inside the <kb-article-id> field . That would be 2778344.
Hope this answers your question.
06-07-2024 09:08 AM
I want to check if we can block connections if a device is missing critical patch (released May 2024) or any other critical patches within the last n months (where n is a user-defined timeframe).
Can this be achieved with HIP configuration?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!