Palo Alto Networks Proactive Alert (GlobalProtect HIP Check)

Posted: 17/05/2015

Palo Alto have informed Teneo this week of a critical issue in the GlobalProtect clients for the Macintosh and Windows operating systems. This issue can cause the clients that connect and perform a Host Information Profile (HIP) check to fail the HIP check regardless if the computer meets the required policy. The HIP check is configured by policy in the firewall and may have different actions taken depending on the results of the check, but due to the recently discovered issue, it is possible that users will be blocked from accessing authorized applications.

Affected versions: This issue impacts customers running the following GlobalProtect client versions:

• 2.2.0
• 2.1.3 (and earlier)
• 2.0.4 (and earlier)
• 1.2.10 (and earlier)

The issue only exists if HIP profiles are in use. This does not affect deployments where HIP checking is not used and this does not impact any Apple iOS or Google Android GlobalProtect clients.

Workaround: A workaround is available for impacted customers. Essentially, HIP checks need to be turned off and there are two ways to accomplish this.

1. The first option is to change the rules in the security policy that use HIP profiles to account for the lack of HIP checking. For some rules, this may mean removing the HIP profile, for others, it may mean disabling the entire rule. If removing the HIP profile from the rule, clone it first and disable the rule so you can quickly restore the original rule later.
   
   
2. Alternatively, it’s possible to change the HIP profiles to nullify the HIP checks. Do this by forcing the HIP profile to always evaluate to either true or false depending on the intent of the profile. For profiles that need to evaluate to true, add an OR condition that will cause it to always be true. For profiles that need to evaluate to false, add an AND condition that will cause it to always be false.

With either workaround, it is recommended that HIP notifications are also disabled to avoid confusing the end users with incorrect messages.

Expected availability of a fix: Palo Alto Networks is working on a fix for the clients that encounter this issue. The fixed GlobalProtect clients will be posted on the support page and listed in the available software page in the GUI and will be available for customers with active support contracts. We expect GlobalProtect 2.2.1 to be released Today, Sunday May 17 2015, followed quickly by releases for 2.1, 2.0, and 1.2.

As always, please contact support if you have any questions or would like assistance. Palo Alto are diligently working to address the issue and apologize for any inconvenience.

Keep up to date with the latest news

We will be keeping up to date with all the latest information and updates, so please get in touch with any questions or concerns at support@teneo.net

To keep up to date with what we know, follow us on Twitter