i saw another user is having pretty much the same problem as me, but her post was over a year ago. was hoping some other users might have had the same problem as me.
here's the original post:
essentially what we would like to do is....
1, check our VPN users to make sure they have Windows Update enabled
2, check our VPN users to make sure they don't have any severity 3 patches not installed.
for option 1 i tried to configure the HIP check like this:
for option 2 i tried to configure the HIP check like this:
it doesn't seem to matter what options i check under patch management, the PC always fails the check for windows update.
what am i missing or what do i have configured wrong?
Hi @wcoulson ,
I would confess I don't have real experience with patch management HIP check, but I could suggest the following:
- Can you confirm your GP portal agent config is configured to collect patch management information? Patch management is not excluded here
- From documentation is says "Check —Match on whether the endpoint has missing patches." - https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-web-interface-help/globalprotect/objects-globalp...
So my understanding is that "has-any" means has any missing patch. And if I understand your first case you want this object to match a machine with all patches installed. Based on that I believe you need to use "has-none" - which should means "has none missing patches = has all patches"
- Second screenshot seems OK - should match if not severity 3 patches are missing, but you haven't specify patch management vendor. I am not sure if this could be a problem but you can try to add it the same way as your first hip object.
Have you checked how the HIP report looks like (the same way from the screenshot from the other post)? You can either check from GP client (setting -> Host Profile) or from FW cli https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClshCAC but this will be raw XML and GUI should be easier to read.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!