Windows Update HIP Check

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Windows Update HIP Check

L0 Member

i saw another user is having pretty much the same problem as me, but her post was over a year ago. was hoping some other users might have had the same problem as me.

 

here's the original post:

https://live.paloaltonetworks.com/t5/globalprotect-discussions/hip-check-patch-management/td-p/44906...

 

essentially what we would like to do is....

1, check our VPN users to make sure they have Windows Update enabled

OR

2, check our VPN users to make sure they don't have any severity 3 patches not installed.

 

for option 1 i tried to configure the HIP check like this:

wcoulson_1-1673983372475.png

 

for option 2 i tried to configure the HIP check like this:

wcoulson_2-1673983424218.png

 

 

it doesn't seem to matter what options i check under patch management, the PC always fails the check for windows update.

what am i missing or what do i have configured wrong?

1 REPLY 1

Cyber Elite
Cyber Elite

Hi @wcoulson ,

I would confess I don't have real experience with patch management HIP check, but I could suggest the following:

- Can you confirm your GP portal agent config is configured to collect patch management information? Patch management is not excluded here

Astardzhiev_0-1674050081793.png

- From documentation is says "Check —Match on whether the endpoint has missing patches." - https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-web-interface-help/globalprotect/objects-globalp...

So my understanding is that "has-any" means has any missing patch. And if I understand your first case you want this object to match a machine with all patches installed. Based on that I believe you need to use "has-none" - which should means "has none missing patches = has all patches"

 

- Second screenshot seems OK - should match if not severity 3 patches are missing, but you haven't specify patch management vendor. I am not sure if this could be a problem but you can try to add it the same way as your first hip object.

 

Have you checked how the HIP report looks like (the same way from the screenshot from the other post)? You can either check from GP client (setting -> Host Profile) or from FW cli https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClshCAC but this will be raw XML and GUI should be easier to read.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!