HIP Checks for Browser Version

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

HIP Checks for Browser Version

L3 Networker

I have a customer that would like to limit GP authentication based upon browser version running on the clients.  They would like to collect all browser versions and then start blocking connections from clients below minimum settings.

 

Trying to figure out how to do this but not seeing any straightforward method to collect all web browser versions.

 

Any thoughts?

6 REPLIES 6

Cyber Elite
Cyber Elite

Hello,

Sounds like A custom HIP check is your best option.

Capture.JPG

L7 Applicator

You can also prevent users from connecting to portals by using a custom check in the portal config.

 

i prefer @OtakarKlier suggestion of a custom check as you will be able to log the various versions and deny or accept access accordingly.

 

try using HKLM/software/microsoft/internet explorer/svcVersion

Thanks for the replies but these steps aren't really getting me to what I need.

When I do the custom check all it says is whether or not the browser exists or is installed on the system.

That registry key shows the value, but the PAN won't just grab the value, it will only try to match on it.

Am I missing something?

Customer also has requested similar functionality around Java versions.  This seems like a reasonable request but can't find any way of doing it.

 

Any other thoughts?

You need to build hip objects based on your custom search.

you then need to add hip profiles for your hip objects.

 

you can then build security policies to allow or deny traffic flow based on hip profiles.

 

you can also send pop up windows to tell users why they are denied access.

 

 

 

 

 

I still don't see any way of using these methods to evaluate whether browser or java versions would be up to date.  Especially since the registry key only offers an exact match of a specic value this whole process seems limited.

 

Only thing I think could be done is to create dozens of HIP checks matching every single version released and constantly update the firewall every time a new version is released.  This sounds completely unrealistic.

 

I would like t a way to do this like the patching or antivirus options which let you say if my patches are out of date for X days I match the Av out of date HIP object.  There's no way to say if my version of Java is horribly out of date and I am vulnerable to exploits not to allow a connection?

L3 Networker

Wondering if anyone has any ideas on how to accomplish this yet or if it's just simply not possible with PAN?

  • 5523 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!