Lab 12 Configuring HIP For Global Protect

PAN8 CYBERSECURITY ESSENTIALS
Lab 12: Configuring HIP for GlobalProtect

Document Version: 2018-07-02
Copyright © 2018 Network Development Group, Inc.

www.netdevgroup.com
NETLAB Academy Edition, NETLAB Professional Edition, and NETLAB+ are registered trademarks of Network Development Group, Inc.
Palo Alto Networks and the Palo Alto Networks logo are trademarks or registered trademarks of Palo Alto Networks, Inc.
Lab 12: Configuring HIP for Global Protect
Contents
Introduction ........................................................................................................................ 3
Objective ............................................................................................................................. 3
Lab Topology ....................................................................................................................... 4
Lab Settings ......................................................................................................................... 5
12 Lab: Configuring HIP for Global Protect. ................................................................. 6
12.0 Load Lab Configuration .................................................................................... 6
12.1 Download the GlobalProtect Agent .................................................................. 9
12.2 Create a HIP Object ......................................................................................... 16
12.3 Create a HIP Profile.......................................................................................... 19
12.4 Modify Security Policy to Add HIP Profile ....................................................... 20
12.5 Modify GlobalProtect Gateway to Add a HIP Notification and Commit ......... 21
12.6 Configure and Connect the GlobalProtect Agent for Network Access ........... 24
12.7 Install the ClamWin Antivirus Software .......................................................... 28
12.8 Reconnect the GlobalProtect Agent for Network Access ............................... 33
7/2/2018 Copyright © 2018 Network Development Group, Inc. www.netdevgroup.com Page 2

Introduction
In this lab, you will download and install GlobalProtectTM while utilizing a HIP Object
within a HIP Profile. ClamWin antivirus software will also be used within the HIP Profile
to configure GlobalProtect to only connect when ClamWin is installed. Using HIP profiles
for policy enforcement enables a granular security approach, that will ensure the
remote host that client machines accessing the network are properly maintained and
adhere to the security policies in place.
Objective
In this lab, you will perform the following tasks:
• Download the GlobalProtect Agent

• Create a HIP Object
• Create a HIP Profile
• Modify Security Policy to Add HIP Profile
• Modify GlobalProtect Gateway to Add a HIP Notification and Commit
• Configure and Connect the GlobalProtect Agent for Network Access
• Install the ClamWin Antivirus Software
• Reconnect the GlobalProtect Agent for Network Access

Lab Topology

Lab Settings
The information in the table below will be needed in order to complete the lab. The
task sections below provide details on the use of this information.
Virtual Machine IP Address Account Password

(if needed) (if needed)
Client 192.168.1.20 lab-user Pal0Alt0
DMZ 192.168.50.10 root Pal0Alt0
Firewall 192.168.1.254 admin admin

12 Lab: Configuring HIP for Global Protect.
12.0 Load Lab Configuration
In this section, you will load the Firewall configuration file.
1. Click on the Client tab to access the Client machine.
2. Login to the Client machine as username lab-user, password Pal0Alt0.

3. Double-click the Google Chrome icon located on the Desktop.
4. In the Google Chrome address field, type https://192.168.1.254 and press Enter.
5. You will see a “Your connection is not private” message. Click on the ADVANCED
link.
If you experience the “Unable to connect” or “502 Bad Gateway”

message while attempting to connect to the specified IP above, please
wait an additional 1-3 minutes for the Firewall to fully initialize. Refresh
the page to continue.

6. Click on Proceed to 192.168.1.254 (unsafe).
7. Login to the Firewall web interface as username admin, password admin.
8. Navigate to Device > Setup > Operations > Load named configuration snapshot.

9. In the Load Named Configuration window, select pan8-ce-lab-12 from the Name
dropdown box and click OK.
10. A message will confirm the configuration has loaded. Click Close to continue.
11. Click the Commit link located at the top-right of the web interface.
12. In the Commit window, click Commit to proceed with committing the changes.

13. When the commit operation successfully completes, click Close to continue.
The Warnings displayed are normal. IPv6 has not been enabled for this
lab and therefore this warning can be ignored.
The commit process takes changes made to the Firewall and copies
them to the running configuration, which will activate all configuration
changes since the last commit.
12.1 Download the GlobalProtect Agent
In this section, you will download the GlobalProtect Agent. The GlobalProtect agent is
an application that is installed on a client system to support GlobalProtect connections
with portals and gateways.
1. Click on the New tab button.
2. In the address bar, type https://203.0.113.20 and click Enter.

3. You will see a “Your connection is not private” message. Click on the ADVANCED
link.
4. Click on Proceed to 203.0.113.20 (unsafe).

5. In the GlobalProtect Portal login screen, type lab-user for the Name field. Then,
type Pal0Alt0 for the Password field. Next, click the LOG IN button.
6. In the GlobalProtect Portal download screen, click on Download Windows 64 bit

GlobalProtect agent.
7. Click on the GlobalProtect64.msi file, located in the lower-left to install the

GlobalProtect Agent.

8. In the Open File – Security Warning window, click the Run button.
9. In the GlobalProtect window, click the Next button.

10. In the GlobalProtect window, click the Next button to confirm the default
installation folder.
11. In the GlobalProtect window, click the Next button to confirm installation.

12. In the User Account Control window, click the Yes button.
13. In the GlobalProtect window, click the Close button to complete the installation.

14. If the GlobalProtect window appears, click the minimize symbol in the upper-
right.
15. Click the X on the GlobalProtect Portal tab in the upper-left.

12.2 Create a HIP Object
In this section, you will create a Host Information Profile (HIP) object. HIP Objects
provide matching criteria for filtering the raw data reported by an agent or application
to enforce policy. HIP objects are building blocks that allow administrators to create the
HIP Profiles used in Security Policies.
1. Navigate to Objects > GlobalProtect > HIP Objects > Add.

2. In the HIP Object window, type Has AV in the Name field.
3. In the HIP Object window, click the Antivirus tab. Then, click the checkbox for
Antivirus. Next, verify Is Installed is checked. Finally, click Add for the Vendor.

4. In the Edit Vendor window, select ClamWin from the Vendor dropdown. Then,
click the OK button.
5. In the HIP Object window, click the OK button.
The Has AV HIP Object will be used to confirm that the ClamWin anti-
virus software is installed on the client machine.

12.3 Create a HIP Profile
In this section, you will create a HIP profile that will be combined with the HIP object
that you created. HIP Profiles allow administrators to collect information about the
security status of the end device that will be connecting to the network via
GlobalProtect.
1. Navigate to Objects > GlobalProtect > HIP Profiles > Add.
2. In the HIP Profile window, type Lab GlobalProtect Profile for the Name field.
Then, click Add Match Criteria. Next, in the HIP Objects/Profiles Builder window,
click the + icon to add Has AV to the Match field of the HIP Profile. Finally, click
the OK button.

12.4 Modify Security Policy to Add HIP Profile
In this section, you will modify the Allow-Inside-Out Security Policy to add the Lab
GlobalProtect Profile HIP Profile you created earlier.
1. Navigate to Policies > Security > Allow-Inside-Out.
2. In the Security Policy Rule window, click the User tab. Then, click Add in the HIP
Profiles section. Next, select Lab GlobalProtect Profile from the dropdown.
Finally, click the OK button.

12.5 Modify GlobalProtect Gateway to Add a HIP Notification and Commit
In this section, you will modify the gp-ext-gateway gateway to create a HIP Notification.
HIP Notification messages are what a client machine sees when a security rule, with a
Host Information Profile enabled, is enforced. Then, you will commit your changes to
the Firewall.
1. Navigate to Network > GlobalProtect > Gateways > gp-ext-gateway.
2. In the GlobalProtect Gateway Configuration window, click the Agent tab on the
left. Then, click the HIP Notification tab in the upper-right. Next, click the Add
button.

3. In the HIP Notification window, select Lab GlobalProtect Profile from the Host
Information dropdown.
4. In the HIP Notification window, click on the Match Message tab. Then, click the
Enable checkbox. Next, type You have successfully met the HIP Profile
requirement with Antivirus.
5. In the HIP Notification window, click on the Not Match Message tab. Then, click
the Enable checkbox. Next, type You have NOT successfully met the HIP Profile
requirement with Antivirus. Connection not granted. Please check your
Antivirus software and try again. Finally, click the OK button.

6. In the GlobalProtect Gateway Configuration window, verify the information and

click the OK button.
7. Click the Commit link located at the top-right of the web interface.
8. In the Commit window, click Commit to proceed with committing the changes.

9. When the commit operation successfully completes, click Close to continue.
The Warnings displayed are normal. IPv6 has not been enabled for this
lab and therefore this warning can be ignored.
12.6 Configure and Connect the GlobalProtect Agent for Network Access
In this section, you will configure and connect the GlobalProtect Agent to allow Internet
access via the HIP Policy you created.
1. Open the Internet Explorer from the taskbar.
2. In the address bar, type http://google.com and press Enter.
Notice you get a This page can’t be displayed error message. The
Security Policy you enabled blocks all traffic from the inside zone to the
outside zone until a GlobalProtect connection is made.

3. In the lower-right corner of the Desktop, click on the Show hidden icons arrow.
Then, double-click the GlobalProtect Agent icon.
4. In the GlobalProtect window, type 203.0.113.20 in the Portal field. Then, type
lab-user in the Username field. Next, type Pal0Alt0 for the Password field.
Finally, click the Connect button.
5. In the Server Certificate Error window, click the Continue button.

6. You will notice that GlobalProtect is Retrieving configuration and Discovering

the network.
This process may take a few minutes to complete due to the

GlobalProtect agent scanning the end device for Antivirus software.
7. You will now notice a GlobalProtect Notification window in the lower-right. Click
the X in the upper-right to dismiss the message.
Notice the message matches the Not Match HIP notification you
created earlier. This is due to not having ClamWin installed on the
end device trying to connect to the outside zone.

8. Click on the Internet Explorer icon in the taskbar.
9. Click the refresh icon in the address bar to verify you still have no connection.
Then, right-click the GlobalProtect Agent icon. Next, click on Disable.
11. Minimize Internet Explorer in the upper-right.
12. Minimize Google Chrome in the upper-right.

12.7 Install the ClamWin Antivirus Software
In this section, you will install the ClamWin antivirus software.
1. Double-click the clamwin-0.99.1-setup.exe icon located on the Desktop.
2. In the User Account Control window, click Yes.
3. In the Setup – ClamWin Free Antivirus window, click the Next button.

4. In the Setup – ClamWin Free Antivirus window, click the I accept the agreement
radio button. Then, click the Next button.



10. In the Setup – ClamWin Free Antivirus window, click the Install button.
11. During the installation, in the ClamWin Free Antivirus Downloading Update…
window, click the Stop button.
Remember, you do not have a successful Internet connection to

download the update.
12. In the Setup – ClamWin Free Antivirus window, click the Finish button.

12.8 Reconnect the GlobalProtect Agent for Network Access
In this section, you will reconnect the GlobalProtect Agent and test network connectivity.
Then, right-click the GlobalProtect Agent icon. Next, click on Enable.
2. In the lower-left corner of the Desktop, click on the Show hidden icons arrow.
Then, double-click the GlobalProtect Agent icon.
3. In the Server Certificate Error window, click the Continue button.
The credentials will be saved from your previous session.

4. In the GlobalProtect window, you will notice a status of Discovering network.

The agent will once again scan the end device to check against the HIP policy.
5. You will now notice a GlobalProtect Notification window in the lower-right.
Notice the message matches the Match HIP notification you created
earlier.
6. Click on the Internet Explorer icon in the taskbar.

7. Click the refresh icon in the address bar to verify you now have a connection.

Lab 12 Configuring HIP For Global Protect

Uploaded by

Copyright:

Available Formats

Lab 12 Configuring HIP For Global Protect

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Lab 12 Configuring HIP For Global Protect

Uploaded by

Copyright:

Available Formats

PAN8 CYBERSECURITY ESSENTIALS

Lab 12: Configuring HIP for GlobalProtect

Copyright © 2018 Network Development Group, Inc.

7/2/2018 Copyright © 2018 Network Development Group, Inc. www.netdevgroup.com Page 2

In this lab, you will perform the following tasks:

• Download the GlobalProtect Agent

7/2/2018 Copyright © 2018 Network Development Group, Inc. www.netdevgroup.com Page 3

7/2/2018 Copyright © 2018 Network Development Group, Inc. www.netdevgroup.com Page 4

Virtual Machine IP Address Account Password

Client 192.168.1.20 lab-user Pal0Alt0

DMZ 192.168.50.10 root Pal0Alt0

Firewall 192.168.1.254 admin admin

7/2/2018 Copyright © 2018 Network Development Group, Inc. www.netdevgroup.com Page 5

12 Lab: Configuring HIP for Global Protect.

12.0 Load Lab Configuration

In this section, you will load the Firewall configuration file.

1. Click on the Client tab to access the Client machine.

2. Login to the Client machine as username lab-user, password Pal0Alt0.

If you experience the “Unable to connect” or “502 Bad Gateway”

7/2/2018 Copyright © 2018 Network Development Group, Inc. www.netdevgroup.com Page 6

6. Click on Proceed to 192.168.1.254 (unsafe).

7. Login to the Firewall web interface as username admin, password admin.

7/2/2018 Copyright © 2018 Network Development Group, Inc. www.netdevgroup.com Page 7

7/2/2018 Copyright © 2018 Network Development Group, Inc. www.netdevgroup.com Page 8

12.1 Download the GlobalProtect Agent

1. Click on the New tab button.

2. In the address bar, type https://203.0.113.20 and click Enter.

7/2/2018 Copyright © 2018 Network Development Group, Inc. www.netdevgroup.com Page 9

4. Click on Proceed to 203.0.113.20 (unsafe).

7/2/2018 Copyright © 2018 Network Development Group, Inc. www.netdevgroup.com Page 10

6. In the GlobalProtect Portal download screen, click on Download Windows 64 bit

7. Click on the GlobalProtect64.msi file, located in the lower-left to install the

7/2/2018 Copyright © 2018 Network Development Group, Inc. www.netdevgroup.com Page 11

9. In the GlobalProtect window, click the Next button.

7/2/2018 Copyright © 2018 Network Development Group, Inc. www.netdevgroup.com Page 12

7/2/2018 Copyright © 2018 Network Development Group, Inc. www.netdevgroup.com Page 13

7/2/2018 Copyright © 2018 Network Development Group, Inc. www.netdevgroup.com Page 14

15. Click the X on the GlobalProtect Portal tab in the upper-left.

7/2/2018 Copyright © 2018 Network Development Group, Inc. www.netdevgroup.com Page 15

12.2 Create a HIP Object

1. Navigate to Objects > GlobalProtect > HIP Objects > Add.

7/2/2018 Copyright © 2018 Network Development Group, Inc. www.netdevgroup.com Page 16

2. In the HIP Object window, type Has AV in the Name field.

7/2/2018 Copyright © 2018 Network Development Group, Inc. www.netdevgroup.com Page 17

5. In the HIP Object window, click the OK button.

7/2/2018 Copyright © 2018 Network Development Group, Inc. www.netdevgroup.com Page 18

12.3 Create a HIP Profile

1. Navigate to Objects > GlobalProtect > HIP Profiles > Add.

7/2/2018 Copyright © 2018 Network Development Group, Inc. www.netdevgroup.com Page 19

12.4 Modify Security Policy to Add HIP Profile

1. Navigate to Policies > Security > Allow-Inside-Out.

7/2/2018 Copyright © 2018 Network Development Group, Inc. www.netdevgroup.com Page 20

12.5 Modify GlobalProtect Gateway to Add a HIP Notification and Commit

1. Navigate to Network > GlobalProtect > Gateways > gp-ext-gateway.

7/2/2018 Copyright © 2018 Network Development Group, Inc. www.netdevgroup.com Page 21

7/2/2018 Copyright © 2018 Network Development Group, Inc. www.netdevgroup.com Page 22

6. In the GlobalProtect Gateway Configuration window, verify the information and

7/2/2018 Copyright © 2018 Network Development Group, Inc. www.netdevgroup.com Page 23

9. When the commit operation successfully completes, click Close to continue.