Glass magnifier detail info needed for HIP Match, Log Detail

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Glass magnifier detail info needed for HIP Match, Log Detail

L1 Bithead

Hi, I am looking to see if there is a way to export or report the details info that glass magnifier provides when click on HIP Match, Log Detail in the glass magnifier column. The HIP Match columns do provide basic info such as: pc name, user name, domain, serial number, etc. I have tried different settings in the HIP Objects and Profiles but info is limited to yes/no such as if the Antivirus is installed yes/no or if the Anti-Malware is installed yes/no; it does not give the same detail level such as specific numeric version that magnifier glass does.

Trying to get the full details level info as I can see it available when click magnifier glass, is definitely there, any way to get it via GUI or CLI ?

Help is appreciated. 

 

 

 

2 REPLIES 2

L2 Linker

Hi,

You can get a detail HIP report dump from the CLI.  

 

This command will give you all the users connected to the Global Protect Gateway

> show global-protect-gateway current-user

 

Below you can see the output for a user connected to GP tunnel: 


GlobalProtect Gateway: GP-Gateway (1 users)
Tunnel Name : GP-Gateway-N
Domain-User Name : sos\srazaque
Computer : WIN10-REMOTE
Primary Username : sos\srazaque
Region for Config : 10.0.0.0-10.255.255.255
Source Region : 10.0.0.0-10.255.255.255
Client : Microsoft Windows 10 Enterprise Evaluation , 64-bit
VPN Type : Device Level VPN
Mobile ID :
Client OS : Windows
Private IP : 10.20.30.119
Private IPv6 : ::
Public IP (connected) : 10.101.99.22
Public IPv6 : ::
Client IP : 10.101.99.22
ESP : removed
SSL : exist
Login Time : Jun.19 14:44:23
Logout/Expiration : Jul.19 14:44:23
TTL : 2591695
Inactivity TTL : 10757
Request - Login : 2020-06-19 14:44:23.377 (1592603063377), 10.101.99.22
Request - GetConfig : 2020-06-19 14:44:23.696 (1592603063696), 10.101.99.22
Request - SSLVPNCONNECT : 2020-06-19 14:44:30.246 (1592603070246), 10.101.99.22

You can then use the following command below from the CLI and dump the hip report for the user connection. You will need the user, IP and computer name, which can be collected from the command above. 

> debug user-id dump hip-report computer WIN10-REMOTE ip 10.20.30.119 user sos\srazaque

The output will looks as follow: 

<?xml version="1.0" encoding="UTF-8"?>
<hip-report>
<md5-sum>1964a64078fc2f95a4c5eda73f390ba</md5-sum>
<user-name>srazaque</user-name>
<domain>sos</domain>
<host-name>WIN10-REMOTE</host-name>
<host-id>43199d79-b2b3-4f66-a33d-cd0f7969970a</host-id>
<ip-address>10.20.30.119</ip-address>
<ipv6-address></ipv6-address>
<generate-time>06/19/2020 14:48:45</generate-time>
<hip-report-version>4</hip-report-version>
<categories>
<entry name="host-info">
<managed>unknown</managed>
<serial-number>VMware-56 4d 6e e3 f0 d0 d8 41-4e ff 01 20 c2 6c 13 a6</serial-number>
<client-version>5.1.3-12</client-version>
<os>Microsoft Windows 10 Enterprise Evaluation , 64-bit</os>
<os-vendor>Microsoft</os-vendor>
<domain>SOS.local</domain>
<host-name>WIN10-REMOTE</host-name>
<host-id>43199d79-b2b3-4f66-a33d-cd0f7969970a</host-id>
<network-interface>
<entry name="{4AB91E94-3200-44F8-B57A-83F98E7EDC11}">
<description>PANGP Virtual Ethernet Adapter</description>
<mac-address>02-50-41-00-00-01</mac-address>
<ip-address>
<entry name="10.20.30.119"/>
</ip-address>
</entry>
<entry name="{4680DD71-B408-4045-98B1-95858E996102}">
<description>Intel(R) PRO/1000 MT Network Connection</description>
<mac-address>00-0C-29-6C-13-A6</mac-address>
<ip-address>
<entry name="192.168.109.134"/>
</ip-address>
<ipv6-address>
<entry name="fe80::fd6e:2175:e8b2:1520"/>
</ipv6-address>
</entry>
<entry name="{AD04D857-4A91-11E9-A74E-806E6F6E6963}">
<description>Software Loopback Interface 1</description>
<mac-address></mac-address>
<ip-address>
<entry name="127.0.0.1"/>
</ip-address>
<ipv6-address>
<entry name="::1"/>
</ipv6-address>
</entry>
</network-interface>
</entry>
<entry name="anti-malware">
<list>
<entry>
<ProductInfo>
<Prod vendor="Microsoft Corporation" name="Windows Defender" version="4.18.1807.18075" defver="1.317.1735.0" engver="1.1.17100.2" datemon="6" dateday="19" dateyear="2020" prodType="3" osType="1"/>
<real-time-protection>yes</real-time-protection>
<last-full-scan-time>n/a</last-full-scan-time>
</ProductInfo>
</entry>
</list>
</entry>
<entry name="disk-backup">
<list>
<entry>
<ProductInfo>
<Prod vendor="Microsoft Corporation" name="Windows Backup and Restore" version="10.0.17763.1"/>
<last-backup-time>n/a</last-backup-time>
</ProductInfo>
</entry>
<entry>
<ProductInfo>
<Prod vendor="Microsoft Corporation" name="Windows File History" version="10.0.17763.1"/>
<last-backup-time>n/a</last-backup-time>
</ProductInfo>
</entry>
</list>
</entry>
<entry name="disk-encryption">
<list>
<entry>
<ProductInfo>
<Prod vendor="Microsoft Corporation" name="BitLocker Drive Encryption" version="10.0.17763.1"/>
<drives>
<entry>
<drive-name>C:\</drive-name>
<enc-state>unencrypted</enc-state>
</entry>
</drives>
</ProductInfo>
</entry>
</list>
</entry>
<entry name="firewall">
<list>
<entry>
<ProductInfo>
<Prod vendor="Microsoft Corporation" name="Windows Firewall" version="10.0.17763.1"/>
<is-enabled>no</is-enabled>
</ProductInfo>
</entry>
</list>
</entry>
<entry name="patch-management">
<list>
<entry>
<ProductInfo>
<Prod vendor="Microsoft Corporation" name="Windows Update Agent" version="10.0.17763.1"/>
<is-enabled>yes</is-enabled>
</ProductInfo>
</entry>
</list>
<missing-patches>
<entry>
<title>2020-01 Update for Windows 10 Version 1809 for x64-based Systems (KB4494174)</title>
<description>Install this update to resolve issues in Windows. For a complete listing of the issues that are included in this update, see the associated Microsoft Knowledge Base article for more information. After you install this item, you may have to restart your computer.</description>
<product>Windows 10</product>
<vendor>Microsoft Corporation</vendor>
<info-url></info-url>
<kb-article-id>4494174</kb-article-id>
<security-bulletin-id></security-bulletin-id>
<severity>2</severity>
<category>update</category>
<is-installed>no</is-installed>
</entry>
<entry>
<title>Security Intelligence Update for Microsoft Defender Antivirus - KB2267602 (Version 1.317.1735.0)</title>
<description>Install this update to revise the files that are used to detect viruses, spyware, and other potentially unwanted software. Once you have installed this item, it cannot be removed.</description>
<product>Microsoft Defender Antivirus</product>
<vendor>Microsoft Corporation</vendor>
<info-url></info-url>
<kb-article-id>2267602</kb-article-id>
<security-bulletin-id></security-bulletin-id>
<severity>2</severity>
<category>definition_update</category>
<is-installed>no</is-installed>
</entry>
</missing-patches>
</entry>
<entry name="data-loss-prevention">
<list>
</list>
</entry>
</categories>
</hip-report>

Let us know if that helps!

Thanks and stay safe
 

L2 Linker

Hi,

You can get a detail HIP report dump from the CLI.  

 

This commands will give you all the users connected to the Global Protect Gateway

> show global-protect-gateway current-user

 

Below you can see the output for a user connected to GP tunnel: 


GlobalProtect Gateway: GP-Gateway (1 users)
Tunnel Name : GP-Gateway-N
Domain-User Name : sos\srazaque
Computer : WIN10-REMOTE
Primary Username : sos\srazaque
Region for Config : 10.0.0.0-10.255.255.255
Source Region : 10.0.0.0-10.255.255.255
Client : Microsoft Windows 10 Enterprise Evaluation , 64-bit
VPN Type : Device Level VPN
Mobile ID :
Client OS : Windows
Private IP : 10.20.30.119
Private IPv6 : ::
Public IP (connected) : 10.101.99.22
Public IPv6 : ::
Client IP : 10.101.99.22
ESP : removed
SSL : exist
Login Time : Jun.19 14:44:23
Logout/Expiration : Jul.19 14:44:23
TTL : 2591695
Inactivity TTL : 10757
Request - Login : 2020-06-19 14:44:23.377 (1592603063377), 10.101.99.22
Request - GetConfig : 2020-06-19 14:44:23.696 (1592603063696), 10.101.99.22
Request - SSLVPNCONNECT : 2020-06-19 14:44:30.246 (1592603070246), 10.101.99.22

You can then use the following command below from the CLI and dump the hip report for the user connection. You will need the user, IP and computer name, which can be collected from the command above. 

> debug user-id dump hip-report computer WIN10-REMOTE ip 10.20.30.119 user sos\srazaque

Let us know if that helps!

Thanks and stay safe
 

  • 3398 Views
  • 2 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!