Steve Borba

My notes, I hope they help you, feel free to comment/add to them

Global Protect HIP

posted by in Technology

One of the features of Palo Alto Networks GlobalProtect that is often underused is HIP — largely because there isn’t enough coverage on what it can do or how to do it. Common use cases I’ve seen include domain membership enforcement and zero trust posture validation. Below are working examples.

Validate Client is using FIPS compliant ciphers

set global-protect global-protect-portal Portal client-config configs Default hip-collection custom-checks windows registry-key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy registry-value Enabled
set global-protect global-protect-portal Portal client-config configs Default hip-collection custom-checks windows registry-key "HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\GlobalProtect\Settings" registry-value [ fips-cc-mode-enabled fips-cc-mode-gps-selftest-result ]
 
set profiles hip-objects GP-FIPS-Config custom-checks criteria registry-key "HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\GlobalProtect\Settings" negate no registry-value fips-cc-mode-enabled negate no value-data yes
set profiles hip-objects Windows-FIPS-Config custom-checks criteria registry-key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy negate no registry-value Enabled negate no value-data 1
set profiles hip-profiles FIPS-Configured match '"GP-FIPS-Config" and "Windows-FIPS-Config"'
set profiles hip-profiles FIPS-Unconfigured match 'not "FIPS-Configured"'
 
set profiles hip-objects FIPS-Selftest-Successful custom-checks criteria registry-key "HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\GlobalProtect\Settings" negate no registry-value fips-cc-mode-gps-selftest-result negate no value-data successful
set profiles hip-profiles FIPS-Selftest-Unsuccessful match 'not "FIPS-Selftest-Successful"'

First we configure the GP Agent to collect the registry settings

Then we tell the firewall how to evaluate that

Profiles are based on object results

With custom checks we have to tell the agent to collect the data (unlike the standard HIP object categories, which the GP agent collects by default). We then create HIP objects as direct evaluations of that evidence, with each object focused on a single clear goal. HIP profiles layer in more complex logic on top of those objects. One of the most powerful patterns is simply negating an object you’ve created – like “not in the domain.”

Validate Domain Membership

set profiles hip-objects DOMAIN-steveborba.com host-info criteria domain is steveborba.com
set profiles hip-profiles Not-Domain match 'not "DOMAIN-steveborba.com"'

Endpoint Protection

set profiles hip-objects Defender-ATP-Installed anti-malware exclude-vendor no criteria is-installed yes
set profiles hip-objects Defender-ATP-Installed anti-malware vendor "Microsoft Corporation" product "Microsoft Defender ATP"

set profiles hip-objects Defender-ATP-Good anti-malware exclude-vendor no criteria is-installed yes real-time-protection yes virdef-version within days 7
set profiles hip-objects Defender-ATP-Good anti-malware vendor "Microsoft Corporation" product "Microsoft Defender ATP"

set profiles hip-profiles Defender-ATP-Missing match 'not "Defender-ATP-Installed"'
set profiles hip-profiles Defender-ATP-Bad match '"Defender-ATP-Installed" and not "Defender-ATP-Good" '

set profiles hip-objects realtime-antimalware anti-malware exclude-vendor no criteria is-installed yes real-time-protection yes virdef-version within days 2
set profiles hip-objects realtime-antimalware-old anti-malware exclude-vendor no criteria is-installed yes real-time-protection yes virdef-version not-within days 2

Host based Firewall

set profiles hip-objects Firewall-Enabled firewall exclude-vendor no criteria is-enabled yes is-installed yes
set profiles hip-profiles Firewall-Bad match 'not "Firewall-Enabled"'

System/Patch Management

set profiles hip-objects Intune-Installed patch-management exclude-vendor no criteria is-installed yes missing-patches check has-any
set profiles hip-objects Intune-Installed patch-management vendor "Microsoft Corporation" product "Microsoft Intune Management Extension"
set profiles hip-profiles Intune-Missing match 'not "Intune-Installed"'

set profiles hip-objects Windows-Update-Good patch-management exclude-vendor no criteria is-installed yes is-enabled yes missing-patches check has-any
set profiles hip-objects Windows-Update-Good patch-management vendor "Microsoft Corporation" product "Windows Update Agent"

set profiles hip-objects Missing-Patches patch-management exclude-vendor no criteria is-installed yes missing-patches check has-any severity greater-than 1

OS Validation

set profiles hip-objects Windows-Any host-info criteria os contains Microsoft All
set profiles hip-objects Windows-11 host-info criteria os contains Microsoft "Windows 11"
set profiles hip-objects Windows-11-Enterprise host-info criteria os contains Microsoft "Windows 11 Enterprise"
set profiles hip-objects Windows-10 host-info criteria os contains Microsoft "Windows 10"
set profiles hip-objects Windows-10-Enterprise host-info criteria os contains Microsoft "Windows 10 Enterprise"

set profiles hip-profiles Windows-11-Not-Enterprise match '"Windows-11" and not "Windows-11-Enterprise"'
set profiles hip-profiles Windows-10-Not-Enterprise match '"Windows-10" and not "Windows-10-Enterprise"'
set profiles hip-profiles Standard-OS match '"Windows-10-Enterprise" or "Windows-11-Enterprise"'
set profiles hip-profiles Not-Standard-OS match 'not "Standard-OS"'

set profiles hip-objects Linux host-info criteria os contains Linux All
set profiles hip-objects "Google OS" host-info criteria os contains Google All
set profiles hip-objects iOS host-info criteria os contains Apple iOS
set profiles hip-profiles "Mobile OS" match '"Google OS" or "iOS"'

Disk Encryption

set profiles hip-objects encrypted_c disk-encryption exclude-vendor no criteria is-installed yes encrypted-locations c encryption-state is encrypted
set profiles hip-objects not_encrypted_c disk-encryption exclude-vendor no criteria is-installed yes encrypted-locations c encryption-state is-not encrypted

Tie it together

set profiles hip-profiles Healthy match '"DOMAIN-steveborba.com"  and "Defender-ATP-Good"  and "encrypted_c"  and "Firewall-Enabled" and "Intune-Installed"  and "Windows-Update-Good"'
set profiles hip-profiles Unhealty match '"DOMAIN-steveborba.com" and not "Healthy"'

Then we create the rules that carry out the plan

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>