- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
11-23-2021 01:56 AM
Hello, I am trying to setup a HIP Profile for contractors accessing our network over Global Protect.
This HIP Profile is checking if version of Windows is supported(allowing only 8.1 and 10), then checking if Anti-Malware and Firewall is enabled and as a last check I want to check if Windows patches are up to date.
Checks for OS, Anti-Malware and Firewall are working fine but I am struggling with Patch-Management check.
On Global Protect Client on my not-updated test computer I can see that I am missing 3 patches. Two of them are of severity 2 and one is severity -1.
I was trying several combinations like the on on picture, on Patch Management HIP object tab but without success.
I want to achive that this HIP Profile will only allow user if there are no severity 2 or 3 Patches missing. What I need to set-up on Patch management tab to do so?
Thanks for any hint or help.
10-29-2024 10:06 AM
Hi, not sure if you ever achieved this but you're on the right track. One must first create the hip object and then the hip profile to include the hip object. The hip profile is the one that should be assigned to the security rule where you want the check to occur. Since you mentioned antimalware and firewall are already working correctly, I assume the "HIP data collection" is already turned on in your portal agent config. All you must be missing is a "deny" rule with the hip profile for the patch management criteria.
For example, if we are looking for any missing patches with severity 3 or greater, create the HIP object as pictured and the HIP profile with the HIP object. Then place the HIP profile under source device for the specific security rule which allows users onto your vpn.
detailed steps here: https://docs.paloaltonetworks.com/globalprotect/10-1/globalprotect-admin/host-information/configure-...
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!