10-11-2020 02:23 PM
Hello ,
We have got requirement to implement HIP profile for GP users ;
But first we want to run it in Monitor mode without any enforcement or without blocking any users
Below are the requirements
OS | Windows 10 |
AV | Mcafee |
AV updates not older than | 5 days |
Patch management | / |
Disk encryption | Enabled |
Firewall | Enabled |
So do i just have to create HIP Object with all these conditions ?
And how will i check which machines will not hit these HIP objects ?
10-24-2020 10:19 AM
The syntax for this is a little weird. You don't actually need to include brackets around things you don't want to group. So in your first example, the syntax that I would use would be:
not ("GP-Internal-AV" or "GP-Internal-OS" or "GP-Internal-FW" or "GP-Internal-DiskEncryption" ) and "GP-Internal-Domain-old"
Likewise your second example I would use:
not ("GP-External-AV" or "GP-External-OS" or "GP-External-FW" or "GP-External-DiskEncryption" ) and not "GP-Internal-Domain-Old"
10-12-2020 06:01 PM
So the thing to remember about HIP is that it never takes any action unless you've specifically told it to. By default, HIP is just going to be informational. What you would do here is just create a HIP Object matching your criteria and commit. The HIP Match logs on the firewall will tell you which connecting clients are matching your HIP Object.
If you want to quickly see what machines aren't meeting your defined HIP parameters, you could do that easily enough by creating two HIP Profiles. You would simply set it to match or NOT match your HIP Object you defined above, and then you could search for either HIP Profile in your logs.
So for an example, lets say that I created a HIP Object called "Secured-Clients" and had it match all the criteria you defined. I would then create two HIP Profiles, with the first being "Trusted-Clients" for example that would simply match on the "Secured-Clients" HIP object you created previously. You would then create another HIP Profile called "NonTrusted-Clients" and simply have the match criteria as NOT "Secured-Clients".
When it came to searching who was matching which profile, you can log into the firewall and search the HIP Match logs. To filter on the Trusted-Clients HIP Profile you would simply use the search ( matchname eq Trusted-Clients ) to find everyone who meets your HIP criteria and then ( matchname eq NonTrusted-Clients ) to find everyone who doesn't.
Just keep in mind that nothing will actually take into account your HIP Profiles until you actually configure it to do so. Simply creating new HIP Objects or HIP Profiles will never cause any issues to your existing profiles.
10-23-2020 06:29 AM
Hello @BPry
Thanks and apolgies for getting back to you late
I have configured HIP profiles but i have doubt in the syntax
I have created 4 HIP objects for checking AV , OS ,FW and Disk enc for machine in old domain . to check non compliant machines i have done below syntax for HIP profile
(not "GP-Internal-AV" or not "GP-Internal-OS" or not "GP-Internal-FW" or not "GP-Internal-DiskEncryption" ) and "GP-Internal-Domain-old"
or do i have to put parantheseis like below
((not "GP-Internal-AV" )or (not "GP-Internal-OS") or (not "GP-Internal-FW" )or (not "GP-Internal-DiskEncryption" ) )and "GP-Internal-Domain-old"
Similarly for external machines i have below
(not "GP-External-AV" or not "GP-External-OS" or not "GP-External-FW" or not "GP-External-DiskEncryption" ) and (not "GP-Internal-Domain-Old" )
or the syntax should be ?
((not "GP-External-AV") or (not "GP-External-OS") or (not "GP-External-FW") or (not "GP-External-DiskEncryption" )) and (not "GP-Internal-Domain-New" )
i am confused by paranthesis
10-24-2020 10:19 AM
The syntax for this is a little weird. You don't actually need to include brackets around things you don't want to group. So in your first example, the syntax that I would use would be:
not ("GP-Internal-AV" or "GP-Internal-OS" or "GP-Internal-FW" or "GP-Internal-DiskEncryption" ) and "GP-Internal-Domain-old"
Likewise your second example I would use:
not ("GP-External-AV" or "GP-External-OS" or "GP-External-FW" or "GP-External-DiskEncryption" ) and not "GP-Internal-Domain-Old"
10-30-2020 04:35 AM
@BPry Thanks . this works . Thanks for your help as always 🙂
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
