HIP Check for Machine Certificate

Reply
Highlighted
L1 Bithead

HIP Check for Machine Certificate

Hello,

I've been unable to get my HIP check to work when checking for attributes in a machine certificate.  Other HIP checks do work.  I'm using my root cert for the Certificate Profile.  I don't have/use a intermediate cert as this is a lab.  Some of the things I've tried.

1. I configured a certificate profile with the root cert.

2. Portal > Agent > Config Selection Criteria > Device Checks.  I selected the root cert profile.

3. Portal > Agent > App > Machine cert is selected.

4. Portal > Portal Data Collection > Certificate Profile my root cert profile.

5. Portal > Agent - "Collect HIP Data" is selected.

 

I'm verifying the HIP checks using HIP Notification under the Gateway Agent.  Like I said, my other HIP checks are working.  Opening the GlobalProtect settings on a laptop and viewing Host Profile, shows the machine name under "Certificate".  The right side of the screen shows the certificate in the form -----BEGIN CERTIFICATE----.......

I'm using 9.0.3h3 and GP client 5.0.5.

Thanks

Highlighted
Community Team Member

Re: HIP Check for Machine Certificate

Have you seen these 2 KB articles about HIP configuration?

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClTnCAK

or

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm5WCAS

 

Have you created your HIP object and the access rule for this?

 

Regards,

Joe

Stay Secure,
Joe
End of line
Highlighted
L1 Bithead

Re: HIP Check for Machine Certificate

Hello,

Thanks for your help.  The second link you posted provided the debugs I needed to solve this issue.  I thought I was receiving the machine certificate judging by the information I saw in the GlobalProtect Settings > Host Profile.  The certificate section showed the machine name.  But I could never fuly confirm it.  I could never get the certificate attributes to match.  The second link provided these commands:

 

Debug commands to show the HIP information in the database:

> debug user-id dump hip-profile-database entry
> debug user-id dump hip-report computer <computer-name> ip <global-protect-assigned-ip> user <username>

The first two commands showed the user information and HIP information.  Including the certificate information with attributes in the format needed to setup the values.

 

To gain greater visibility, the hip debugs can be enabled via the CLI commands below. The messages are printed to the 'useridd.log' file.  These commands showed the actual matching for the HIP objects and profiles.

> debug user-id set hip all
> debug user-id on debug
> tail follow yes mp-log useridd.log

 

The next three debug commands allowed me to see why the attribute match was failing.  I was currently trying to match on "issuer".  I could see the value the machine cert provided didn't match my value.  After adjusting it, I received the message from the Gateway > Agent > Hip Notification, that my system passed the HIP check.  I tried other attributes but I can see that the attributes I tried aren't listed in the database.

 

Thanks for your help!

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!