Globalprotect check operational system on the portal/gateway without collecting HIP data and using HIP profiles/HIP objects?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Globalprotect check operational system on the portal/gateway without collecting HIP data and using HIP profiles/HIP objects?

L6 Presenter

I found out that you can use the operational system without a HIP object/profile to do things on the Gateway/Portal even if the collection of HIP data is stopped on the Portal.

 

 

 

Portal config:

 

 

NikolayDimitrov_1-1621011523428.png

 

 

 

Gateway Config:

 

 

 

NikolayDimitrov_0-1621011296270.png

 

 

 

 

 

Can someone tell me why when I try to check if the operational system is Linux in a HIP object/profile and I attach it to security policy I get blocked? I see that even without HIP checks the Gateway knows the operational system of the client even when Portal HIP data collection is stopped?

2 accepted solutions

Accepted Solutions

L7 Applicator

I think that the gateway knowing what operating system the client using and then using that information to block or allow are 2 different things. The client is clearly announcing to the gateway what it is because of the software being used.

Was this working for you and then stopped?

LIVEcommunity team member
Stay Secure,
Joe
Don't forget to Like items if a post is helpful to you!

View solution in original post

Hi @nikoolayy1 ,

 

I believe you need HIP data collection for HIP checks.

- Data collection will tell the client to generate XML report and submit it to the gateway. It will also tell it what information to add in the report

- Once FW receives the report it will run it agains the configured HIP profiles and check what is matching

- It will then cache/associate that username/soure-ip with all matching HIP profiles.

You can see all matching HIP profiles for given user with:

> show user ip-user-mapping ip <ip-address>

 

I agree with @jdelio that OS type, that is used as match criteria for gp client config is not data submitted by host, but it is information that FW is detecting by identifying what application is used to connect. If you have noticed the same way you can configure different authentication method based on the client OS. If you think about it, this means that FW needs to know what OS used even before the user has authenticated. In this case it make sense client OS to be determed by HTTP User-Agent or any banner that GlobalProtect application sent when is trying to connect. But this information is not kept and it is not used for HIP check. Information submitted by the client as HIP report is used for that.

 

 

 

View solution in original post

3 REPLIES 3

L7 Applicator

I think that the gateway knowing what operating system the client using and then using that information to block or allow are 2 different things. The client is clearly announcing to the gateway what it is because of the software being used.

Was this working for you and then stopped?

LIVEcommunity team member
Stay Secure,
Joe
Don't forget to Like items if a post is helpful to you!

Nothing my idea is that I am testting the general HIP checks as a new design/project but we have stopped the HIP data collection option on the portal and it does not work but as I mentioned outside the HIP checks like making split tunnel just for Linux or Windows or Mac etc. devices on the Gateway seems to work in my lab even without the HIP data collection option being enabled on the portal.

 

 

 

So even without HIP data collection being enabled on the portal the gateway can do some rules based on the workstation OS or domain but not for a HIP object/profile attached under security that checks the operational system. Is this how it works?

 

 

 

For any HIP check do I need to enable the option for HIP data collection on the portal even if it is just the OS that the gateway seems to know even before the HIP checks?

Hi @nikoolayy1 ,

 

I believe you need HIP data collection for HIP checks.

- Data collection will tell the client to generate XML report and submit it to the gateway. It will also tell it what information to add in the report

- Once FW receives the report it will run it agains the configured HIP profiles and check what is matching

- It will then cache/associate that username/soure-ip with all matching HIP profiles.

You can see all matching HIP profiles for given user with:

> show user ip-user-mapping ip <ip-address>

 

I agree with @jdelio that OS type, that is used as match criteria for gp client config is not data submitted by host, but it is information that FW is detecting by identifying what application is used to connect. If you have noticed the same way you can configure different authentication method based on the client OS. If you think about it, this means that FW needs to know what OS used even before the user has authenticated. In this case it make sense client OS to be determed by HTTP User-Agent or any banner that GlobalProtect application sent when is trying to connect. But this information is not kept and it is not used for HIP check. Information submitted by the client as HIP report is used for that.

 

 

 

  • 2 accepted solutions
  • 2686 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!