This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

HIP Checks for missing patches for multiple vendors on one gateway

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

HIP Checks for missing patches for multiple vendors on one gateway

DonohoeRobert
L3 Networker

‎02-25-2016 06:52 AM

Hi All, 

 

Recently worked an issue where user wanted hip alerts displayed for users if they are missing ios, apple or windows patch updates. There is sometimes some confusion with regards to the match / not match messages and there is a known issue with hip checks on mac's. The below documnet hopefully clears some of this up and I have generated a workaround for the macbook check. 

 

Objective;

Alert users of iOS, MacBook’s & Windows devices if they are not on the latest patch of Windows updates or Apple software.

 

Known issue with missing patches hip check on a mac.

77018   Global Protect agent fails to report missing patches on devices running on Mac OS.

Work around: specify the latest version of os and manually type in the missing number if applicable and check for this.

 

Steps;

I got the desired results following the below set of details/ guidelines and have gathered screenshots as I went.

 

 Hip objects

First thing is to create hip objects to check. I created one for the device explicitly and one to see if has all patches installed [windows], is on the latest release of iOS [iPhone] & is on the latest release [10.11.3] on the MacBook.

 

hip-objects.png

 

I have found MacBook os 10.11.3 not on the list below originally. I select then version 10.11 and added the .3 and the PAN device accepted this. Due to the known issue, instead of checking for missing patches the conventional way I checked the os release of the Macbook, which is effectively the patches / security fixes Apple roles out where windows patches are slightly different.

 

mac-version.png

 

 

Hip Profiles

I set up the three conditions as below, then created a forth condition that asks if any of the 3 three checks above are true.

 

 

hip-profiles.png

 

 

 

 

Gateway alert

 

We put this if any is true into the alert on the Gateway. Again this will alert if an iOS , Macbook or Windows device doesn’t have the latest release of code or latest windows updates respectfully.

I verified with testing, you have to adjust the match / not match statements to match.   

For example;

 

 

You need to just have the one hip alert that checks if any device is missing the updates link below

 

 

alert.png

 

Matched message – a device has connected that is an ios, mac or windows device that is not have the latest code or all the security patches.

Not matched message is null and not enabled.

 

 

alert2.png

 

 

The above will alert users if they connect on an ios device, windows device or macbook if not on latest patch , work around only valid as long as mac os latest is 10.11.3. 

 

Hope this helps .. 

 

regards, 

 

Robert D 

0 REPLIES 0
  • 1533 Views
  • 0 replies
  • 2 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks