HIP Notification question

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

HIP Notification question

L4 Transporter

Hi,

 

A question regarding HIP notifications.

 

I have enabled HIP notifications for GP clients connecting in and they trigger when a violation of the HIP profile is detected e.g. firewall turned off, but just wanted to clarify something in the Palo documentation. 

 

Palo documentation below seems to indicate that the HIP profile needs to be attached to a security policy rule before the HIP notification is triggered, but it seems to trigger correctly  whether it is attached to a security policy rule or not. I have tried 'any' and 'no-hip' in the source device section of a security policy rule and it seems to trigger either way.

 

BenPrice_0-1637729906099.pngBenPrice_1-1637729949128.png

Any clarification on the Palo documentation would be appreciated?

 

Thanks in advance.

1 accepted solution

Accepted Solutions

Are the HIP profiles evaluated in a top down order?

I'm not exactly sure what you are asking here. The HIP Profiles are just a collection of matching HIP Objects that you've specified, so as long as the client matches all of the HIP Objects in the HIP Profile it'll "match" the HIP Profile. All of this is done at exactly the same time, so there's no top/down matching from a HIP aspect. If I have multiple profiles that a client all matches, every matching profile will match for that client.

Hopefully that makes sense.

 

Does a client have to match all the requirements of a HIP profile for the notification to trigger e.g. if 2 profiles require firewall to be on, but have other different attributes like anti-virus requirements. Does the client match the first HIP profile in the list or does it have to match all attributes of the HIP profile?

You may be interchanging HIP Profile when you're talking about HIP Objects? A HIP Profile is only matched when all of it's match criteria is matched. So if I built out a HIP Profile ("Issued-Win10-Device") that said to match on my "Supported-Win10-Build" HIP Object and "Issued-Device" HIP Object, only clients matching on the "Supported-Win10-Build" and "Issued-Device" HIP Objects would match my "Issued-Win10-Device" profile. If you only matched one object or the other it wouldn't match the profile.

 

Will a HIP notification trigger when an endpoint tries to send traffic through a security policy rule that has a HIP profile assigned or does the notification only trigger when the client connects?

The actual HIP Notification will only trigger when the client connects. It won't re-trigger every time it hits a security policy that includes the HIP Profile as matching criteria. These two features are independent of each other

View solution in original post

7 REPLIES 7

L4 Transporter

Update here:

 

Reading some additional documentation, it does seem to indicate that the HIP notification message is displayed when HIP data is sent to the GP gateway from the GP client upon connection, and a defined HIP profile is matched or not matched (depending on your config). The HIP profile is then enforced when it is attached to a security policy rule (allow or deny). 
 
I have attached a few articles for you to review.
 
How do users know if their systems are compliant
 
Leveraging Host Information profiles
 
Configure HIP-Based policy enforcement
 
@BPry @reaper could you clarify or confirm the above

Cyber Elite
Cyber Elite

@Ben-Price,

So HIP Notifications themselves would trigger when the matching HIP Profile is matched as you've configured. When you include the HIP Profile as a condition in the security policy it's used as matching criteria (IE: It would only match if the specified HIP Profile is triggered on the endpoint in question). These both utilize HIP Profiles to function, but they perform different functions. You don't have to use a HIP Profile in a security policy to use it as a HIP Notification match. 

L4 Transporter

@BPry Thanks for the feedback.

 

Is there a way of implementing the below scenario.

 

Scenario:

We have a “Staff” Global Protect client profile and a “Contractor” Global Protect client profile. HIP checks (Device Compliance) for Staff and Contractor will obviously be different.

How can we perform HIP notifications that are relevant to the client profile being used.

 

Eg. We don’t want to notify when a “contractor’s” device is not Active directory domain joined because we don’t expect it to be domain joined (Contractors have much less access than Staff). But we do want to notify Staff if their device is not domain joined (Staff profile provide mores access therefore, more compliance is required)

Cyber Elite
Cyber Elite

@Ben-Price,

Since this is done at the Gateway level the easiest way would be to just create two separate gateways. One gateway for your "Staff" clients and another for the "Contractor" clients. You would just direct access to the proper gateway via the Portal agent configurations if you didn't want to create a completely separate Portal for your contractors. 

L4 Transporter

@BPry OK. A few further questions:

 

Are the HIP profiles evaluated in a top down order?

 

Does a client have to match all the requirements of a HIP profile for the notification to trigger e.g. if 2 profiles require firewall to be on, but have other different attributes like anti-virus requirements. Does the client match the first HIP profile in the list or does it have to match all attributes of the HIP profile?

 

Will a HIP notification trigger when an endpoint tries to send traffic through a security policy rule that has a HIP profile assigned or does the notification only trigger when the client connects?

Are the HIP profiles evaluated in a top down order?

I'm not exactly sure what you are asking here. The HIP Profiles are just a collection of matching HIP Objects that you've specified, so as long as the client matches all of the HIP Objects in the HIP Profile it'll "match" the HIP Profile. All of this is done at exactly the same time, so there's no top/down matching from a HIP aspect. If I have multiple profiles that a client all matches, every matching profile will match for that client.

Hopefully that makes sense.

 

Does a client have to match all the requirements of a HIP profile for the notification to trigger e.g. if 2 profiles require firewall to be on, but have other different attributes like anti-virus requirements. Does the client match the first HIP profile in the list or does it have to match all attributes of the HIP profile?

You may be interchanging HIP Profile when you're talking about HIP Objects? A HIP Profile is only matched when all of it's match criteria is matched. So if I built out a HIP Profile ("Issued-Win10-Device") that said to match on my "Supported-Win10-Build" HIP Object and "Issued-Device" HIP Object, only clients matching on the "Supported-Win10-Build" and "Issued-Device" HIP Objects would match my "Issued-Win10-Device" profile. If you only matched one object or the other it wouldn't match the profile.

 

Will a HIP notification trigger when an endpoint tries to send traffic through a security policy rule that has a HIP profile assigned or does the notification only trigger when the client connects?

The actual HIP Notification will only trigger when the client connects. It won't re-trigger every time it hits a security policy that includes the HIP Profile as matching criteria. These two features are independent of each other

L4 Transporter

Awesome thanks @BPry that has cleared things up.

  • 1 accepted solution
  • 5702 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!