This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

HIPS to prevent windows 7 clients

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

HIPS to prevent windows 7 clients

Go to solution
Stevenjw0728
L1 Bithead

‎03-03-2023 12:29 PM

How would I go about creating a HIPS profile that would deny access to machines running windows 7 that need to connect to global protect?

0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
TomYoung
Cyber Elite
Cyber Elite

‎03-09-2023 07:46 AM

Hi @Stevenjw0728 ,

 

You would need to check the logic in the profile.  Maybe it was a logical AND and devices can't be all 3 at the same time?

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

View solution in original post

0 Likes Likes
8 REPLIES 8

Go to solution
TomYoung
Cyber Elite
Cyber Elite

‎03-06-2023 08:35 AM

Hi @Stevenjw0728 ,

 

Here are the steps to use HIP in the security policy -> https://docs.paloaltonetworks.com/globalprotect/9-1/globalprotect-admin/host-information/configure-h....

 

You would create a separate HIP Object like the following:

 

TomYoung_0-1678118606686.png

 

Put it in a HIP Profile named Windows 7.  Add the Windows 7 HIP Profile as a source to a security policy rule and deny traffic except optionally to a remediation server.  GlobalProtect will not disconnect, but you can configure a GlobalProtect message under Gateway > Agent > HIP Notification.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.
0 Likes Likes

Go to solution
Stevenjw0728
L1 Bithead
In response to TomYoung

‎03-08-2023 02:59 PM

I created an object for all versions of windows, attached it to a profile, then assigned that profile to a rule that was VPN clients to Trust networks and it took everyone down.....why? Shouldn't it just be collecting data? 

0 Likes Likes

Go to solution
Stevenjw0728
L1 Bithead
In response to TomYoung

‎03-08-2023 04:07 PM

When you select OS contains Windows 7, does that cover all the editions of Windows 7?

0 Likes Likes

Go to solution
TomYoung
Cyber Elite
Cyber Elite

‎03-08-2023 05:41 PM

Hi @Stevenjw0728 ,

 

If you apply a HIP Profile to a security policy rule, then the clients must match the HIP Profile to match the rule.  You can create the profiles 1st and check matches under Monitor > HIP Match before applying them to a policy.

 

I think Windows 7 will match all Windows 7 flavors.  The best way to find out is create it and see who matches.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.
0 Likes Likes

Go to solution
Stevenjw0728
L1 Bithead
In response to TomYoung

‎03-09-2023 07:32 AM

if my profile was to include all windows 7, windows 10, and windows 11, why did all my traffic stop?!

 

0 Likes Likes

Go to solution
TomYoung
Cyber Elite
Cyber Elite

‎03-09-2023 07:46 AM

Hi @Stevenjw0728 ,

 

You would need to check the logic in the profile.  Maybe it was a logical AND and devices can't be all 3 at the same time?

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.
0 Likes Likes

Go to solution
BPry
Cyber Elite
Cyber Elite

‎03-09-2023 07:50 AM

@Stevenjw0728,

How did you build out the profile and what did you actually want it to do? If you included every OS in the profile and denied access through the security policy, the firewall did what you told it to do. If you're just trying to prevent Windows 7 clients from connecting, include only the Windows 7 HIP-Object in the associated profile and make a Deny entry. You wouldn't want to group everything together in some overarching allow entry.

 

As to why your traffic stop flowing, did you give any time between the creation of the HIP-Object/Profile and putting it into effect on the security rulebase at the same time? Generally speaking whenever you build out a new Object/Profile, you're going to want to validate using the HIP logs that it's actually matching clients as expected before you ever include it in a policy. That ensures that your order of operations is actually correct, and it ensures that the clients active at the moment actually have time to send the update in their next HIP report. 

 

0 Likes Likes

Go to solution
Stevenjw0728
L1 Bithead
In response to TomYoung

‎03-09-2023 08:21 AM

Well dang it. Missed that. I thought when you add it to a profile its like "hey any of these match your good" so that was indeed the issue, radio button for AND was checked. 

0 Likes Likes
  • 1 accepted solution
  • 1885 Views
  • 8 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks