07-08-2019 02:39 PM
I have a customer that would like to limit GP authentication based upon browser version running on the clients. They would like to collect all browser versions and then start blocking connections from clients below minimum settings.
Trying to figure out how to do this but not seeing any straightforward method to collect all web browser versions.
Any thoughts?
07-09-2019 06:46 AM
Hello,
Sounds like A custom HIP check is your best option.
07-10-2019 05:42 AM
You can also prevent users from connecting to portals by using a custom check in the portal config.
i prefer @OtakarKlier suggestion of a custom check as you will be able to log the various versions and deny or accept access accordingly.
try using HKLM/software/microsoft/internet explorer/svcVersion
07-16-2019 02:42 PM
Thanks for the replies but these steps aren't really getting me to what I need.
When I do the custom check all it says is whether or not the browser exists or is installed on the system.
That registry key shows the value, but the PAN won't just grab the value, it will only try to match on it.
Am I missing something?
Customer also has requested similar functionality around Java versions. This seems like a reasonable request but can't find any way of doing it.
Any other thoughts?
07-16-2019 10:48 PM
You need to build hip objects based on your custom search.
you then need to add hip profiles for your hip objects.
you can then build security policies to allow or deny traffic flow based on hip profiles.
you can also send pop up windows to tell users why they are denied access.
07-17-2019 10:45 AM
I still don't see any way of using these methods to evaluate whether browser or java versions would be up to date. Especially since the registry key only offers an exact match of a specic value this whole process seems limited.
Only thing I think could be done is to create dozens of HIP checks matching every single version released and constantly update the firewall every time a new version is released. This sounds completely unrealistic.
I would like t a way to do this like the patching or antivirus options which let you say if my patches are out of date for X days I match the Av out of date HIP object. There's no way to say if my version of Java is horribly out of date and I am vulnerable to exploits not to allow a connection?
10-06-2020 10:10 AM
Wondering if anyone has any ideas on how to accomplish this yet or if it's just simply not possible with PAN?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
