- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
11-23-2021 09:00 PM
Hi,
A question regarding HIP notifications.
I have enabled HIP notifications for GP clients connecting in and they trigger when a violation of the HIP profile is detected e.g. firewall turned off, but just wanted to clarify something in the Palo documentation.
Palo documentation below seems to indicate that the HIP profile needs to be attached to a security policy rule before the HIP notification is triggered, but it seems to trigger correctly whether it is attached to a security policy rule or not. I have tried 'any' and 'no-hip' in the source device section of a security policy rule and it seems to trigger either way.
Any clarification on the Palo documentation would be appreciated?
Thanks in advance.
11-29-2021 06:09 PM
Are the HIP profiles evaluated in a top down order?
I'm not exactly sure what you are asking here. The HIP Profiles are just a collection of matching HIP Objects that you've specified, so as long as the client matches all of the HIP Objects in the HIP Profile it'll "match" the HIP Profile. All of this is done at exactly the same time, so there's no top/down matching from a HIP aspect. If I have multiple profiles that a client all matches, every matching profile will match for that client.
Hopefully that makes sense.
Does a client have to match all the requirements of a HIP profile for the notification to trigger e.g. if 2 profiles require firewall to be on, but have other different attributes like anti-virus requirements. Does the client match the first HIP profile in the list or does it have to match all attributes of the HIP profile?
You may be interchanging HIP Profile when you're talking about HIP Objects? A HIP Profile is only matched when all of it's match criteria is matched. So if I built out a HIP Profile ("Issued-Win10-Device") that said to match on my "Supported-Win10-Build" HIP Object and "Issued-Device" HIP Object, only clients matching on the "Supported-Win10-Build" and "Issued-Device" HIP Objects would match my "Issued-Win10-Device" profile. If you only matched one object or the other it wouldn't match the profile.
Will a HIP notification trigger when an endpoint tries to send traffic through a security policy rule that has a HIP profile assigned or does the notification only trigger when the client connects?
The actual HIP Notification will only trigger when the client connects. It won't re-trigger every time it hits a security policy that includes the HIP Profile as matching criteria. These two features are independent of each other
11-28-2021 09:58 PM
Update here:
11-28-2021 10:06 PM
So HIP Notifications themselves would trigger when the matching HIP Profile is matched as you've configured. When you include the HIP Profile as a condition in the security policy it's used as matching criteria (IE: It would only match if the specified HIP Profile is triggered on the endpoint in question). These both utilize HIP Profiles to function, but they perform different functions. You don't have to use a HIP Profile in a security policy to use it as a HIP Notification match.
11-28-2021 10:15 PM
@BPry Thanks for the feedback.
Is there a way of implementing the below scenario.
Scenario:
We have a “Staff” Global Protect client profile and a “Contractor” Global Protect client profile. HIP checks (Device Compliance) for Staff and Contractor will obviously be different.
How can we perform HIP notifications that are relevant to the client profile being used.
Eg. We don’t want to notify when a “contractor’s” device is not Active directory domain joined because we don’t expect it to be domain joined (Contractors have much less access than Staff). But we do want to notify Staff if their device is not domain joined (Staff profile provide mores access therefore, more compliance is required)
11-28-2021 10:25 PM
Since this is done at the Gateway level the easiest way would be to just create two separate gateways. One gateway for your "Staff" clients and another for the "Contractor" clients. You would just direct access to the proper gateway via the Portal agent configurations if you didn't want to create a completely separate Portal for your contractors.
11-29-2021 02:27 PM
@BPry OK. A few further questions:
Are the HIP profiles evaluated in a top down order?
Does a client have to match all the requirements of a HIP profile for the notification to trigger e.g. if 2 profiles require firewall to be on, but have other different attributes like anti-virus requirements. Does the client match the first HIP profile in the list or does it have to match all attributes of the HIP profile?
Will a HIP notification trigger when an endpoint tries to send traffic through a security policy rule that has a HIP profile assigned or does the notification only trigger when the client connects?
11-29-2021 06:09 PM
Are the HIP profiles evaluated in a top down order?
I'm not exactly sure what you are asking here. The HIP Profiles are just a collection of matching HIP Objects that you've specified, so as long as the client matches all of the HIP Objects in the HIP Profile it'll "match" the HIP Profile. All of this is done at exactly the same time, so there's no top/down matching from a HIP aspect. If I have multiple profiles that a client all matches, every matching profile will match for that client.
Hopefully that makes sense.
Does a client have to match all the requirements of a HIP profile for the notification to trigger e.g. if 2 profiles require firewall to be on, but have other different attributes like anti-virus requirements. Does the client match the first HIP profile in the list or does it have to match all attributes of the HIP profile?
You may be interchanging HIP Profile when you're talking about HIP Objects? A HIP Profile is only matched when all of it's match criteria is matched. So if I built out a HIP Profile ("Issued-Win10-Device") that said to match on my "Supported-Win10-Build" HIP Object and "Issued-Device" HIP Object, only clients matching on the "Supported-Win10-Build" and "Issued-Device" HIP Objects would match my "Issued-Win10-Device" profile. If you only matched one object or the other it wouldn't match the profile.
Will a HIP notification trigger when an endpoint tries to send traffic through a security policy rule that has a HIP profile assigned or does the notification only trigger when the client connects?
The actual HIP Notification will only trigger when the client connects. It won't re-trigger every time it hits a security policy that includes the HIP Profile as matching criteria. These two features are independent of each other
11-29-2021 10:25 PM
Awesome thanks @BPry that has cleared things up.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!