HIP Check for Machine Certificate

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Palo Alto Networks Approved
Palo Alto Networks Approved
Community Expert Verified
Community Expert Verified

HIP Check for Machine Certificate

L2 Linker

Hello,

I've been unable to get my HIP check to work when checking for attributes in a machine certificate.  Other HIP checks do work.  I'm using my root cert for the Certificate Profile.  I don't have/use a intermediate cert as this is a lab.  Some of the things I've tried.

1. I configured a certificate profile with the root cert.

2. Portal > Agent > Config Selection Criteria > Device Checks.  I selected the root cert profile.

3. Portal > Agent > App > Machine cert is selected.

4. Portal > Portal Data Collection > Certificate Profile my root cert profile.

5. Portal > Agent - "Collect HIP Data" is selected.

 

I'm verifying the HIP checks using HIP Notification under the Gateway Agent.  Like I said, my other HIP checks are working.  Opening the GlobalProtect settings on a laptop and viewing Host Profile, shows the machine name under "Certificate".  The right side of the screen shows the certificate in the form -----BEGIN CERTIFICATE----.......

I'm using 9.0.3h3 and GP client 5.0.5.

Thanks

8 REPLIES 8

L7 Applicator

Have you seen these 2 KB articles about HIP configuration?

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClTnCAK

or

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm5WCAS

 

Have you created your HIP object and the access rule for this?

 

Regards,

Joe

LIVEcommunity team member
Stay Secure,
Joe
Don't forget to Like items if a post is helpful to you!

Hello,

Thanks for your help.  The second link you posted provided the debugs I needed to solve this issue.  I thought I was receiving the machine certificate judging by the information I saw in the GlobalProtect Settings > Host Profile.  The certificate section showed the machine name.  But I could never fuly confirm it.  I could never get the certificate attributes to match.  The second link provided these commands:

 

Debug commands to show the HIP information in the database:

> debug user-id dump hip-profile-database entry
> debug user-id dump hip-report computer <computer-name> ip <global-protect-assigned-ip> user <username>

The first two commands showed the user information and HIP information.  Including the certificate information with attributes in the format needed to setup the values.

 

To gain greater visibility, the hip debugs can be enabled via the CLI commands below. The messages are printed to the 'useridd.log' file.  These commands showed the actual matching for the HIP objects and profiles.

> debug user-id set hip all
> debug user-id on debug
> tail follow yes mp-log useridd.log

 

The next three debug commands allowed me to see why the attribute match was failing.  I was currently trying to match on "issuer".  I could see the value the machine cert provided didn't match my value.  After adjusting it, I received the message from the Gateway > Agent > Hip Notification, that my system passed the HIP check.  I tried other attributes but I can see that the attributes I tried aren't listed in the database.

 

Thanks for your help!

L0 Member

I too am having a similar issue. Setup a new portal/gateway with SAML auth. Want to do a HIP check for a valid machine certificate but not looking to do pre-logon. Machine Certificate is loaded in the Local Computer\Personal\Certifcates store per Palo instructions. Subject shows machine name. our domain.com. Problem is, when I open the GP Client GlobalProtect Settings and go to the Host Profile tab, all I see is the word "certificate" at the bottom of the left window with no information in the right window about the cert. As such, it is not sending it to the portal during the HIP submission process. Any thoughts as to why the GP client is not seeing the certificate info. Oddly, in the PanGPS.log file on the client, it says it found the machine cert in the machine store. Has the correct hash etc. Just is not passing it up to the portal.

Any help would be appreciated.

Hi, I have te same issue, any update with this ?

 

Got the same issue and haven't found anything on PA sites, but found comment on reddit that you can check for a valid client certificate as part of the authentication process, but not as a HIP check. So it seems that it doesn't collect this information unless it's part of the authentication, which sounds strange.

But It doesn't work when you will use SAML auth.. ;/

L0 Member

I have similar problems with Prisma Access.

EDIT: Got this working. My Machine certificate was misplaced to my personal storage at first.

Ron, do you mind telling me what was wrong with the issue value you were using, or what is the format we should use? I have tried different formats but still no able to make it match the issuer value. The thing is I'm trying to do it on Prisma Access so I can't run the commands to troubleshoot. Thanks!

  • 17828 Views
  • 8 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!