Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

HIP check Patch Management

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

HIP check Patch Management

L1 Bithead

Hello, I am trying to setup a HIP Profile for contractors accessing our network over Global Protect.
This HIP Profile is checking if version of Windows is supported(allowing only 8.1 and 10), then checking if Anti-Malware and Firewall is enabled and as a last check I want to check if Windows patches are up to date.
Checks for OS, Anti-Malware and Firewall are working fine but I am struggling with Patch-Management check.

On Global Protect Client on my not-updated test computer I can see that I am missing 3 patches. Two of them are of severity 2 and one is severity -1.

hip check.PNG

I was trying several combinations like the on on picture, on Patch Management HIP object tab but without success.

hip object.PNG

I want to achive that this HIP Profile will only allow user if there are no severity 2 or 3 Patches missing. What I need to set-up on Patch management tab to do so?

Thanks for any hint or help.

3 REPLIES 3

L0 Member

shot in the dark here since this is 15 months old. but did you ever happen to get this figured out?

L1 Bithead

@Henley were you able to achieve this?

L0 Member

Hi, not sure if you ever achieved this but you're on the right track. One must first create the hip object and then the hip profile to include the hip object. The hip profile is the one that should be assigned to the security rule where you want the check to occur. Since you mentioned antimalware and firewall are already working correctly, I assume the "HIP data collection" is already turned on in your portal agent config. All you must be missing is a "deny" rule with the hip profile for the patch management criteria.
For example, if we are looking for any missing patches with severity 3 or greater, create the HIP object as pictured and the HIP profile with the HIP object. Then place the HIP profile under source device for the specific security rule which allows users onto your vpn. 

YvetteParra_0-1730220764546.png

YvetteParra_2-1730221350155.png
detailed steps here: https://docs.paloaltonetworks.com/globalprotect/10-1/globalprotect-admin/host-information/configure-...

 

 

 

  • 2544 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!