PALOALTO NGFW HIP

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

PALOALTO NGFW HIP

L1 Bithead

Hi,
I need help with configuring Host Information Profiles (HIP) using device attributes such as MAC address, serial number, or host ID. When creating a HIP object with these attributes, where should I add the list of devices so they are recognized by the firewall?
Thanks,

1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite

@OrkhanM,

Assuming that you do not have an MDM? 

 

You would need to do what I've described above, each endpoint that you wish to allow will need to be an individual HIP object, you will then need to group them into a HIP Profile and use it as needed (remember that profiles can be used as matching criteria in other profiles).

To keep the administration aspect of this lower, I would look into automating this as much as possible. When I've needed to do this in the past I had built out automation to take a source file and templated the creation of HIP Objects and the Profiles that were in use for those devices to account for new devices. That isn't something that the firewall can do natively however, so you either live with the administration overhead or automate it away. 

View solution in original post

4 REPLIES 4

Cyber Elite
Cyber Elite

@OrkhanM,

I would generally telling most people that this isn't the path that you want to go down from a management aspect. It would be easier to manage if you started (or have) serial numbers assigned and use an LDAP server profile to be able to utilize the 'Managed' option to verify that the serial number is present in AD.

This will allow the firewall to pull the list of serial numbers from active directory by looking at the computer objects and the serialNumber attribute to validate whether or not a computer is actually present in AD or not. 

 

If you can't do that for some reason, you'll ideally have automation in place to create individual HIP objects for each entry that you want to allow and then utilize a profile to group all of the individual objects. I don't believe that you can match multiple different strings with a single object, so unless you can make them all fit with a Contains operator (which effectively would only allow a single manufacturer and doesn't actually prevent much) you're going to need to utilize a profile to group all of the individual objects which doesn't really scale.

 

The point is that I don’t want this for a domain environment. The devices I want to apply HIP to are only non-domain devices, such as mobile devices (e.g., Android/iOS).

On some of these, it’s possible to enable AV check for HIP, but on others (e.g., Android and iOS devices), HIP data does not return any information related to AV check. For this reason, for such devices, I can perform HIP checks using MAC/Serial Number/Host ID + CACert check.

I’m just stuck on where exactly I should add the list of devices (i.e., MAC or Serial Number or Host ID).

Cyber Elite
Cyber Elite

@OrkhanM,

Assuming that you do not have an MDM? 

 

You would need to do what I've described above, each endpoint that you wish to allow will need to be an individual HIP object, you will then need to group them into a HIP Profile and use it as needed (remember that profiles can be used as matching criteria in other profiles).

To keep the administration aspect of this lower, I would look into automating this as much as possible. When I've needed to do this in the past I had built out automation to take a source file and templated the creation of HIP Objects and the Profiles that were in use for those devices to account for new devices. That isn't something that the firewall can do natively however, so you either live with the administration overhead or automate it away. 

Thanks for helping.

  • 1 accepted solution
  • 367 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!