Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
Hello, I am trying to setup a HIP Profile for contractors accessing our network over Global Protect.
This HIP Profile is checking if version of Windows is supported(allowing only 8.1 and 10), then checking if Anti-Malware and Firewall is enabled and as a last check I want to check if Windows patches are up to date.
Checks for OS, Anti-Malware and Firewall are working fine but I am struggling with Patch-Management check.
On Global Protect Client on my not-updated test computer I can see that I am missing 3 patches. Two of them are of severity 2 and one is severity -1.
I was trying several combinations like the on on picture, on Patch Management HIP object tab but without success.
I want to achive that this HIP Profile will only allow user if there are no severity 2 or 3 Patches missing. What I need to set-up on Patch management tab to do so?
Thanks for any hint or help.
Hi, not sure if you ever achieved this but you're on the right track. One must first create the hip object and then the hip profile to include the hip object. The hip profile is the one that should be assigned to the security rule where you want the check to occur. Since you mentioned antimalware and firewall are already working correctly, I assume the "HIP data collection" is already turned on in your portal agent config. All you must be missing is a "deny" rule with the hip profile for the patch management criteria.
For example, if we are looking for any missing patches with severity 3 or greater, create the HIP object as pictured and the HIP profile with the HIP object. Then place the HIP profile under source device for the specific security rule which allows users onto your vpn.
detailed steps here: https://docs.paloaltonetworks.com/globalprotect/10-1/globalprotect-admin/host-information/configure-...
