HIPS to prevent windows 7 clients

Stevenjw0728 · ‎03-03-2023

How would I go about creating a HIPS profile that would deny access to machines running windows 7 that need to connect to global protect?

TomYoung · ‎03-09-2023

Hi @Stevenjw0728 ,

You would need to check the logic in the profile. Maybe it was a logical AND and devices can't be all 3 at the same time?

Thanks,

Tom

Help the community: Like helpful comments and mark solutions.

View solution in original post

TomYoung · ‎03-06-2023

Hi @Stevenjw0728 ,

Here are the steps to use HIP in the security policy -> https://docs.paloaltonetworks.com/globalprotect/9-1/globalprotect-admin/host-information/configure-h....

You would create a separate HIP Object like the following:

Put it in a HIP Profile named Windows 7. Add the Windows 7 HIP Profile as a source to a security policy rule and deny traffic except optionally to a remediation server. GlobalProtect will not disconnect, but you can configure a GlobalProtect message under Gateway > Agent > HIP Notification.

Thanks,

Tom

Help the community: Like helpful comments and mark solutions.

Stevenjw0728 · ‎03-08-2023

I created an object for all versions of windows, attached it to a profile, then assigned that profile to a rule that was VPN clients to Trust networks and it took everyone down.....why? Shouldn't it just be collecting data?

Stevenjw0728 · ‎03-08-2023

When you select OS contains Windows 7, does that cover all the editions of Windows 7?

TomYoung · ‎03-08-2023

Hi @Stevenjw0728 ,

If you apply a HIP Profile to a security policy rule, then the clients must match the HIP Profile to match the rule. You can create the profiles 1st and check matches under Monitor > HIP Match before applying them to a policy.

I think Windows 7 will match all Windows 7 flavors. The best way to find out is create it and see who matches.

Thanks,

Tom

Help the community: Like helpful comments and mark solutions.

Stevenjw0728 · ‎03-09-2023

if my profile was to include all windows 7, windows 10, and windows 11, why did all my traffic stop?!

TomYoung · ‎03-09-2023

Hi @Stevenjw0728 ,

You would need to check the logic in the profile. Maybe it was a logical AND and devices can't be all 3 at the same time?

Thanks,

Tom

Help the community: Like helpful comments and mark solutions.

BPry · ‎03-09-2023

@Stevenjw0728,

How did you build out the profile and what did you actually want it to do? If you included every OS in the profile and denied access through the security policy, the firewall did what you told it to do. If you're just trying to prevent Windows 7 clients from connecting, include only the Windows 7 HIP-Object in the associated profile and make a Deny entry. You wouldn't want to group everything together in some overarching allow entry.

As to why your traffic stop flowing, did you give any time between the creation of the HIP-Object/Profile and putting it into effect on the security rulebase at the same time? Generally speaking whenever you build out a new Object/Profile, you're going to want to validate using the HIP logs that it's actually matching clients as expected before you ever include it in a policy. That ensures that your order of operations is actually correct, and it ensures that the clients active at the moment actually have time to send the update in their next HIP report.

Stevenjw0728 · ‎03-09-2023

Well dang it. Missed that. I thought when you add it to a profile its like "hey any of these match your good" so that was indeed the issue, radio button for AND was checked.

HIPS to prevent windows 7 clients

HIPS to prevent windows 7 clients

Show your appreciation!