HIPS to prevent windows 7 clients

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

HIPS to prevent windows 7 clients

L1 Bithead

How would I go about creating a HIPS profile that would deny access to machines running windows 7 that need to connect to global protect?

1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite

Hi @Stevenjw0728 ,

 

You would need to check the logic in the profile.  Maybe it was a logical AND and devices can't be all 3 at the same time?

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

View solution in original post

8 REPLIES 8

Cyber Elite
Cyber Elite

Hi @Stevenjw0728 ,

 

Here are the steps to use HIP in the security policy -> https://docs.paloaltonetworks.com/globalprotect/9-1/globalprotect-admin/host-information/configure-h....

 

You would create a separate HIP Object like the following:

 

TomYoung_0-1678118606686.png

 

Put it in a HIP Profile named Windows 7.  Add the Windows 7 HIP Profile as a source to a security policy rule and deny traffic except optionally to a remediation server.  GlobalProtect will not disconnect, but you can configure a GlobalProtect message under Gateway > Agent > HIP Notification.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

I created an object for all versions of windows, attached it to a profile, then assigned that profile to a rule that was VPN clients to Trust networks and it took everyone down.....why? Shouldn't it just be collecting data? 

When you select OS contains Windows 7, does that cover all the editions of Windows 7?

Cyber Elite
Cyber Elite

Hi @Stevenjw0728 ,

 

If you apply a HIP Profile to a security policy rule, then the clients must match the HIP Profile to match the rule.  You can create the profiles 1st and check matches under Monitor > HIP Match before applying them to a policy.

 

I think Windows 7 will match all Windows 7 flavors.  The best way to find out is create it and see who matches.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

if my profile was to include all windows 7, windows 10, and windows 11, why did all my traffic stop?!

 

Cyber Elite
Cyber Elite

Hi @Stevenjw0728 ,

 

You would need to check the logic in the profile.  Maybe it was a logical AND and devices can't be all 3 at the same time?

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

Cyber Elite
Cyber Elite

@Stevenjw0728,

How did you build out the profile and what did you actually want it to do? If you included every OS in the profile and denied access through the security policy, the firewall did what you told it to do. If you're just trying to prevent Windows 7 clients from connecting, include only the Windows 7 HIP-Object in the associated profile and make a Deny entry. You wouldn't want to group everything together in some overarching allow entry.

 

As to why your traffic stop flowing, did you give any time between the creation of the HIP-Object/Profile and putting it into effect on the security rulebase at the same time? Generally speaking whenever you build out a new Object/Profile, you're going to want to validate using the HIP logs that it's actually matching clients as expected before you ever include it in a policy. That ensures that your order of operations is actually correct, and it ensures that the clients active at the moment actually have time to send the update in their next HIP report. 

 

Well dang it. Missed that. I thought when you add it to a profile its like "hey any of these match your good" so that was indeed the issue, radio button for AND was checked. 

  • 1 accepted solution
  • 2304 Views
  • 8 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!