This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

HIP Profile Windows 11

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

HIP Profile Windows 11

Go to solution
etoribio
L0 Member

‎01-04-2022 06:10 AM

As stated in Where Can I Install the GlobalProtect App? (paloaltonetworks.com) the official client for W11 is > 5.2.10

Personally, I've used version ~5.2.7 without issues, the only thing I noticed was that detected host for HIP Profile was Microsoft Windows 10 Pro. Now that I've updated to version 5.2.10-6, detected host is Microsoft Windows 11 Pro.

 

etoribio_0-1641305326992.png

 

This now comes with an issue. We have in our HIP Profile to allow connection for W10 versions only, but W11 versions are not appearing. One workaround would be to deny all versions listed, except W10 (and indirectly W11).

 

The list of OSs in HIP profile depends on PAN OS? We have version 10.0.0.8-h8

Regards

1 accepted solution

Accepted Solutions

Go to solution
aleksandar.astardzhiev
Cyber Elite
Cyber Elite

‎01-04-2022 07:56 AM

Hi @etoribio ,

I believe the OS list and any other setting you can use in the HIP profile are defined by the GlobalProtect Data File

Which basically means that Palo Alto push updates once in while. Unfortunately it seems the latest update was 07.11.2020 and it looks it applies for all PanOS versions (at least from my environment).

 

There are two possible workarounds:

- For OS vendor choose "Other" and just type "Microsoft Windows 11 Pro". Basically the same string you see from GlobalProtect application under the OS.

Astardzhiev_0-1641311104687.png

I am not 100% if it will work, and cannot test it right now, but in theory at the end it just string comperison between what GlobalProtect app is reporting and what FW config is using.

 

- The other way would be to use custom check and look for registry key that contains the OS version.

Astardzhiev_1-1641311779175.png

 

View solution in original post

0 Likes Likes
2 REPLIES 2

Go to solution
aleksandar.astardzhiev
Cyber Elite
Cyber Elite

‎01-04-2022 07:56 AM

Hi @etoribio ,

I believe the OS list and any other setting you can use in the HIP profile are defined by the GlobalProtect Data File

Which basically means that Palo Alto push updates once in while. Unfortunately it seems the latest update was 07.11.2020 and it looks it applies for all PanOS versions (at least from my environment).

 

There are two possible workarounds:

- For OS vendor choose "Other" and just type "Microsoft Windows 11 Pro". Basically the same string you see from GlobalProtect application under the OS.

Astardzhiev_0-1641311104687.png

I am not 100% if it will work, and cannot test it right now, but in theory at the end it just string comperison between what GlobalProtect app is reporting and what FW config is using.

 

- The other way would be to use custom check and look for registry key that contains the OS version.

Astardzhiev_1-1641311779175.png

 

0 Likes Likes

Go to solution
BPry
Cyber Elite
Cyber Elite

‎01-05-2022 11:46 AM

@etoribio,

really recommend actually using custom checks to control what builds can connect to your environment. If your saying that Windows 10 devices can just connect, your allowing all builds of Windows 10 including extremely outdated builds that are no longer getting updates. 

 

I personally like getting 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion as a custom check and pulling the CurrentBuildNumber registry value. Then build out custom hip-objects for each build of Windows that you want to allow to connect (ideally just the supported builds) and you can use a HIP-Profile to group supported operating systems. 
This helps to ensure that you aren't allowing outdated Windows 10 builds (or Windows 11 builds going forward). 

 

  • 1 accepted solution
  • 5368 Views
  • 2 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks