Today we will be focusing hos Palo alto network firewalls Host information profile (HIP). For those of you have been in the game for some time might find some resemblance with Microsoft’s Network Policy Server (NPS) which you can utilize along with a Radius server to perform health checks and then either allow or disallow clients to join the network. Normally you use Radius and NPS along with 802.1x solutions where you put un-compliant clients in a remediation network till they get compliant before they can join the production network. However, this feature is quite popular to be used with firewalls as well, at least with the modern Next generation firewalls. Luckily Palo alto networks firewalls happens to be just that!
In an ideal world you would have users devices always connected to you VPN solution so that these can benefit from all the feature you Palo alto networks firewall has to offer within security, features like URL filtering to Wildfire and the ability catch and block zero day exploits, however that is just an ideal scenario. Users tend to find VPN solutions restrictive or tedious to use, restrictive is the main complaint at least that I meet in the market when working with clients. Security has its price, either being restrictive or expensive tools, but on the other hand you have the option of not caring about security and getting pawned! You do not need to look to far away, just check statistics laid out by SANS or any other institution stating number of attacks and companies being infected by viruses and trojans. The increasing trend the last couple of years has been crypto viruses. Most of the modern operating systems have some sort of built in tools that prevent or provide preventative measures to cope with know attack patterns. But again, we have our users who tend to either not use or deliberately turn of these features. So how can you at least make sure that devices being connected to your corporate network have some sort of security measures in place and that you can have some confidence in the security posture of the device being connected to you network. In Globalprotect VPN, i.e. for Palo alto network firewalls HIP is the option that provide you the tools.
In this blog post I am going to describe how to set up this feature and provide some troubleshooting tips as well. Lets start with the basics.
Basic requirements for HIP
You must have a valid license in order to use Globalprotect feature. In addition to GlobalProtect Gateway licence you need a subscription so that you are able to use more advance features like perform HIP checks, support Global protect App for mobile, Global protect for Linux end points and split tunnel scenarios. For a complete list and more details regarding licence requirements have look at https://docs.paloaltonetworks.com/globalprotect/8-1/globalprotect-admin/globalprotect-overview/about-globalprotect-licenses.html
Configuration of HIP for Global protect
The first step configuration vise You have to enable HIP for GlobalProtect Portal this is done by going into Portals configuration found under the network tab. Under GlobalProtect and by choosing Portals, and then navigating to Agent tab. Double click you configuration mine is GP_Portal_DUO in this example
Then navigate to HIP Data Collection.
HIP data collection can be turned on without having any sort of impact on you remote clients meaning that you can turn on HIP Data collection and the machines will start reporting their HIP status to GlobalProtect. This can be very helpful during the initial setup of HIP as you can see which of the rules and policies are being matched with the endpoints and whether or not the policy is being applied to intended audience, actually before you start using HIP profiles with Firewall rules.
The next step in the configuration is to create HIP objects or rather call them HIP rules. These are the checks you are going to perform in order to either allow or disallow access to certain resources within your environment. Normally you would create HIP rules based on Operating systems and some sort of matching criteria. When I usually set up HIP I create HIP objects for at least Windows and MAC’s. In some cases Linux machines also are a good candidate to include. If you have clients using tablets and mobile phone with GlobalProtect it might be a good idea to define a policy for what the users are allowed to do on these devices as compared to a normal computer. HIP objects and profiles will provide you the flexibility to lock certain firewall rules to certain type of devices.
The figure below shows a HIP object describing OS requirements and Antivirus/Antimalware
Setting up additional rules for each check and you end up with a number of HIP objects.
The logic behind having a single check per object is that, when the HIP object not matches the requirement is not being met and vice versa. What do I mean by that you say, well If you are checking Antivirus in one HIP object, Firewall in another, and Windows updates in the third one, you will see whether each client is matching each of the HIP objects or not for each individual HIP object rather than where one HIP object is not being matched and the client you have no idea why the HIP object is not being matched. This sort of makes the management and troubleshooting part easy. After you have created a certain amount of HIP objects you can combine these into HIP policies. These HIP policies are the ones which are used in Firewall rules. After the objects have been created you already start to see objects being matched with clients that are connecting using GlobalProtect.
Next step in the configuration is to attach these HIP profiles to firewall rules
GlobalProtect HIP troubleshooting
Most of the troubleshooting for HIP is performed under the monitoring pane. It is here under HIP match you can see which policies and object are being matched. As with traffic and threats you can view details by pressing the magnifying glass. Here you will be able to see the entire HIP details.
As you see there are a lot of options that can be configured, but just because they can be configured they must not be. Start simple and build the checks according to your requirements and organizations needs. Far to many projects remain incomplete due to over ambitious start and fading effort when things tend to not go as planned. If you manage, or I should rather say, when you have managed the basic policies to function as per your company requirements, you can add registry checks or any other custom checks that you might want to add. Start simple and add features layer wise one after the other. Another thing worth remembering while troubleshooting is to make sure that all HIP objects are being applied as intended and that the policy too is being applied and evaluated as intended. Sometimes a HIP object does not match and causes the entire policy to become non-compliant cutting out VPN access.
Informing and notifying users
When you are implementing HIP it is important to provide your end users value able information regarding this client health. For example, lets say you limit file (SMB) access only to computers that are meeting some certain criteria, then this information should be conveyed to users so that they can make sure that their computer or device that is being used with GlobalProtect VPN can meet these policy requirements. Thanks to Gateway HIP notifications, clients that are connecting to your GlobalProtect Gateway can inform the end user about policy compliance or non-compliance. You can and should add descriptive messages stating the requirements as well as remediation steps for the users.
You configure the messages under GlobalProtect Gateway
You can configure the message for match or not match, meaning the message is shown either when a policy is being matched or while it not is being matched. Be careful while assigning the messages to policies as showing Windows policies for MACs and vice versa would not really be much beneficial for the users and might just cause confusion.
Hope that you find this blog post helpful. I know for sure that a number of things would had been very beneficial to know in those early days I was working with Palo Alto network firewalls and especially with GlobalProtect. If you have any questions, feel free to post them in the comments sections or become a member on the blog to send direct messages. I will try to answer any questions as soon as I can, but no warranties at least with regards to promptness. God luck HIP implementing in you GlobalProtect installation.