HIP Profile Windows 11

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

HIP Profile Windows 11

L0 Member

As stated in Where Can I Install the GlobalProtect App? (paloaltonetworks.com) the official client for W11 is > 5.2.10

Personally, I've used version ~5.2.7 without issues, the only thing I noticed was that detected host for HIP Profile was Microsoft Windows 10 Pro. Now that I've updated to version 5.2.10-6, detected host is Microsoft Windows 11 Pro.

 

etoribio_0-1641305326992.png

 

This now comes with an issue. We have in our HIP Profile to allow connection for W10 versions only, but W11 versions are not appearing. One workaround would be to deny all versions listed, except W10 (and indirectly W11).

 

The list of OSs in HIP profile depends on PAN OS? We have version 10.0.0.8-h8

Regards

1 accepted solution

Accepted Solutions

Hi @etoribio ,

I believe the OS list and any other setting you can use in the HIP profile are defined by the GlobalProtect Data File

Which basically means that Palo Alto push updates once in while. Unfortunately it seems the latest update was 07.11.2020 and it looks it applies for all PanOS versions (at least from my environment).

 

There are two possible workarounds:

- For OS vendor choose "Other" and just type "Microsoft Windows 11 Pro". Basically the same string you see from GlobalProtect application under the OS.

Astardzhiev_0-1641311104687.png

I am not 100% if it will work, and cannot test it right now, but in theory at the end it just string comperison between what GlobalProtect app is reporting and what FW config is using.

 

- The other way would be to use custom check and look for registry key that contains the OS version.

Astardzhiev_1-1641311779175.png

 

View solution in original post

2 REPLIES 2

Hi @etoribio ,

I believe the OS list and any other setting you can use in the HIP profile are defined by the GlobalProtect Data File

Which basically means that Palo Alto push updates once in while. Unfortunately it seems the latest update was 07.11.2020 and it looks it applies for all PanOS versions (at least from my environment).

 

There are two possible workarounds:

- For OS vendor choose "Other" and just type "Microsoft Windows 11 Pro". Basically the same string you see from GlobalProtect application under the OS.

Astardzhiev_0-1641311104687.png

I am not 100% if it will work, and cannot test it right now, but in theory at the end it just string comperison between what GlobalProtect app is reporting and what FW config is using.

 

- The other way would be to use custom check and look for registry key that contains the OS version.

Astardzhiev_1-1641311779175.png

 

Cyber Elite
Cyber Elite

@etoribio,

really recommend actually using custom checks to control what builds can connect to your environment. If your saying that Windows 10 devices can just connect, your allowing all builds of Windows 10 including extremely outdated builds that are no longer getting updates. 

 

I personally like getting 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion as a custom check and pulling the CurrentBuildNumber registry value. Then build out custom hip-objects for each build of Windows that you want to allow to connect (ideally just the supported builds) and you can use a HIP-Profile to group supported operating systems. 
This helps to ensure that you aren't allowing outdated Windows 10 builds (or Windows 11 builds going forward). 

 

  • 1 accepted solution
  • 5526 Views
  • 2 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!