>
    Strata Copilot
    Configure HIP Exceptions for Patch Management
    Focus
    Download PDF
    Focus
    1. Home
    2. GlobalProtect
    3. GlobalProtect Administrator's Guide
    4. Host Information
    5. Host Information Profile (HIP) in Security Policy Enforcement
    6. Configure HIP Exceptions for Patch Management
    Download PDF
    GlobalProtect

    Configure HIP Exceptions for Patch Management

    Table of Contents

    Configure HIP Exceptions for Patch Management

    Configure GlobalProtect app to exclude specific patches from endpoint HIP report, preventing failures due to frequent patch updates.
    Where Can I Use This?What Do I Need?
    • NGFW (managed by Panorama or Strata Cloud Manager)
    • Prisma Access (managed by Panorama or Strata Cloud Manager)
    • GlobalProtect Gateway license or Prisma Access license with the Mobile User subscription
    • GlobalProtect app version 6.2 or later for Windows, macOS, or Linux
    • Content release version 8699-7991 or later
    Use the following procedure to configure the GlobalProtect app to exempt specific security patches from being reported as missing from the endpoint HIP report to prevent the endpoint from failing the HIP check in cases where patch updates happen frequently (for example some companies update their patches multiple times a day with threat updates).
    1. Configure HIP-Based Policy Enforcement.
    2. Define the patches you want to exclude from the HIP report and the date until which to exclude them.
      If you are using Strata Cloud Manager (NGFW), then
      1. On Strata Cloud Manager (NGFW), ConfigurationNGFW and Prisma AccessConfiguration ScopeAll FirewallsDeviceGlobalProtectAgent SettingsAdd Agent App Settings.
      2. On the Add Agent App Settings page, under HIP Data CollectionShow Advanced OptionsExclude Categories and then edit the Exclude Categories.
      3. Click Add and select the Category as Patch Management and add the Vendor.
      If you are using Strata Cloud Manager (Prisma Access), then:
      1. On Strata Cloud Manager (Prisma Access), ConfigurationNGFW and Prisma AccessConfiguration ScopePrisma AccessMobile Users ContainerGlobalProtectSetupGlobalProtect AppApp Settings <default>.
      2. On the Default page, HIP Data CollectionShow Advanced OptionsExclude Categories and then edit the Exclude Categories.
      3. Click Add and select the Category as Patch Management and add the Vendor.
      1. On the firewall that is hosting your GlobalProtect portal (or on Panorama), select NetworkGlobalProtectPortals.
      2. Select the portal configuration that you want to modify.
      3. On the Agent tab, select the agent configuration from which to exclude categories, or Add a new one.
      4. Under Exclude Categories, Add a new exclude category.
      5. Select patch-management as the Vendor and then Add the vendor.
      6. Specify the patch name or number <kb-article-id value> and optionally a date <MM/DD/YYYY> until which you want to exclude the patch updates from the HIP report.
        Use the following format:
        Exclude:[kb-article-id1: MM/DD/YYYY], [kb-article-id2: MM/DD/YYYY]
        Where kb-article value is the number in the attribute, example <kb-article-id>2267602</kb-article-id> and the MM/DD/YYYY specifies the date up to which the patch is excluded from the HIP report. If you do not set a date, the patch will be excluded from the HIP report indefinitely. If you choose to set a date, the patch will be excluded until the specified date.
        The Kb-article id should be in the same format displayed in the logs, for example:
        Repeat this step for each patch you want to exclude from the HIP report.
        If you want to exclude all patches from a specific vendor, you would just exclude the entire category instead of specifying specific patches.
    3. To save the settings, click OK and then Commit your changes.

    © 2025 Palo Alto Networks, Inc. All rights reserved.