Palo Alto Scan Clients for Antivirus

L2 Linker

Palo Alto Scan Clients for Antivirus


I have a quick question regarding the capabilities of the Palo Alto's. In this scenario, we want to be able to deny computers who connect via SSL VPN (GlobalProtect) access to the network if they do not have antivirus on their machines. Can Palo Alto do this? If so, can you direct me to the procedures of how to set this up?



L2 Linker

Hi Mark,

You can use HIP checks to do this.

You will need to configure HIP object for the AV solutions that you want the firewall to check for, than create a HIP profile and to assign the profile to a security rule (this is selected in the Users tab of the security policy).

Please check this article. It is for widows patches, but the principle is the same.

How to Configure HIP for Missing Microsoft Patches

Hope this helps

L2 Linker

Does this also work for Macs?

L2 Linker

Yes Mark,

You can used it for the mac's too.

If you like you can divide the checks for MAC and for Windows machines in separate IP Profiles, where one can be checking if the system has Windows OS, and an AV solution running (and/or up to date), and another HIP Profile that will check if the system is MAC OS and there is and an AV solution running (and/or up to date). For that reason when creating the HIP object, in the GENERAL tab, mark the Host info and select the OS as needed (mac or win), and if needed limit the versions that are in usage in your environment (maybe you are only using windows 7 Professional and windows 8.1 for the Microsoft OS and Mac OS X 10.8 from Apple). After that make the needed combination of HIP objects into HIP Profiles (using logical operators) and attache the profile to to a security rule. Dont forget to add block rule for the users that dont have the HIP profile, or at least limit them to just be able to go to certain sites (like the update server for the AV solution in use).

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!