>
    Configure HIP Exceptions for Patch Management
    Focus
    Download PDF
    Focus
    1. Home
    2. GlobalProtect
    3. Host Information
    4. Configure HIP Exceptions for Patch Management
    Download PDF
    GlobalProtect

    Configure HIP Exceptions for Patch Management

    Table of Contents

    Configure HIP Exceptions for Patch Management

    Configure GlobalProtect app to exclude specific patches from endpoint HIP report, preventing failures due to frequent patch updates.
    Where Can I Use This?What Do I Need?
    • Prisma Access
    • GlobalProtect Subscription
    • Prisma Access Mobile Users license (for use with Prisma Access)
    • GlobalProtect app version 6.2 or later for Windows, macOS, or Linux
    • Content release version 8699-7991 or later
    Use the following procedure to configure the GlobalProtect app to exempt specific security patches from being reported as missing from the endpoint HIP report to prevent the endpoint from failing the HIP check in cases where patch updates happen frequently (for example some companies update their patches multiple times a day with threat updates).
    1. Configure HIP-Based Policy Enforcement.
    2. Define the patches you want to exclude from the HIP report and the date until which to exclude them.
      1. On the firewall that is hosting your GlobalProtect portal, select NetworkGlobalProtectPortals.
      2. Select the portal configuration that you want to modify.
      3. On the Agent tab, select the agent configuration from which to exclude categories, or Add a new one.
      4. Under Exclude Categories, Add a new exclude category.
      5. Select patch-management as the Vendor and then Add the vendor.
      6. Specify the patch name or number <kb-article-id value> and optionally a date <MM/DD/YYYY> until which you want to exclude the patch updates from the HIP report.
        Use the following format:
        Exclude:[kb-article-id1: MM/DD/YYYY], [kb-article-id2: MM/DD/YYYY]
        Where kb-article value is the number in the attribute, example <kb-article-id>2267602</kb-article-id> and the MM/DD/YYYY specifies the date up to which the patch is excluded from the HIP report. If you do not set a date, the patch will be excluded from the HIP report indefinitely. If you choose to set a date, the patch will be excluded until the specified date.
        The Kb-article id should be in the same format displayed in the logs, for example:
        Repeat this step for each patch you want to exclude from the HIP report.
        If you want to exclude all patches from a specific vendor, you would just exclude the entire category instead of specifying specific patches.
    3. To save the settings, click OK and then Commit your changes.

    © 2024 Palo Alto Networks, Inc. All rights reserved.