HIP Profile Models
Overview
The HIP Profile models provide a structured way to manage Host Information Profile (HIP) profiles in Palo Alto Networks' Strata Cloud Manager. These models define the match criteria expressions used to associate HIP objects with policy rules, enabling dynamic security policy enforcement based on host posture assessments.
Attributes
| Attribute | Type | Required | Default | Description |
|---|---|---|---|---|
| name | str | Yes | None | Name of HIP profile. Max length: 31 chars. Pattern: ^[a-zA-Z\d-_. ]+$ |
| match | str | Yes | None | Match expression for the profile. Max length: 2048 chars |
| description | str | No | None | Description of the HIP profile. Max length: 255 chars |
| folder | str | No* | None | Folder where profile is defined. Max length: 64 chars |
| snippet | str | No* | None | Snippet where profile is defined. Max length: 64 chars |
| device | str | No* | None | Device where profile is defined. Max length: 64 chars |
| id | UUID | Yes** | None | UUID of the HIP profile (required for update/response) |
* Exactly one container type (folder/snippet/device) must be provided for create operations ** Only required for update and response models
Exceptions
The HIP Profile models can raise the following exceptions during validation:
- ValueError: Raised in several scenarios:
- When multiple container types (folder/snippet/device) are specified
- When no container type is specified for create operations
- When name pattern validation fails
- When field length limits are exceeded
- When invalid patterns are provided for fields
Model Validators
Container Type Validation
For create operations, exactly one container type must be specified:
from scm.models.objects import HIPProfileCreateModel
# This will raise a validation errortry:
profile = HIPProfileCreateModel(
name="windows-profile",
match='"is-win"',
folder="Shared",
device="fw01", # Can't specify both folder and device
)
except ValueError as e:
print(e) # "Exactly one of 'folder', 'snippet', or 'device' must be provided."
# This will raise a validation errortry:
profile = HIPProfileCreateModel(
name="windows-profile",
match='"is-win"',
folder="Shared",
device="fw01", # Can't specify both folder and device
)
except ValueError as e:
print(e) # "Exactly one of 'folder', 'snippet', or 'device' must be provided."
Usage Examples
Creating a Basic HIP Profile
from scm.config.objects import HIPProfile
# Using dictionarybasic_profile = {
"name": "windows-workstation",
"description": "Windows workstation profile",
"folder": "Shared",
"match": '"is-win"' # Single HIP object reference
}
hip_profile = HIPProfile(api_client)
response = hip_profile.create(basic_profile)
# Using dictionarybasic_profile = {
"name": "windows-workstation",
"description": "Windows workstation profile",
"folder": "Shared",
"match": '"is-win"' # Single HIP object reference
}
hip_profile = HIPProfile(api_client)
response = hip_profile.create(basic_profile)
Creating a Complex HIP Profile with Boolean Operators
# Using model directlyfrom scm.models.objects import HIPProfileCreateModel
complex_profile = HIPProfileCreateModel(
name="secure-workstation",
description="Secure Windows workstation profile",
folder="Shared",
match='"is-win" and "is-firewall-enabled" and "is-antivirus-running"'
)
payload = complex_profile.model_dump(exclude_unset=True)
response = hip_profile.create(payload)
complex_profile = HIPProfileCreateModel(
name="secure-workstation",
description="Secure Windows workstation profile",
folder="Shared",
match='"is-win" and "is-firewall-enabled" and "is-antivirus-running"'
)
payload = complex_profile.model_dump(exclude_unset=True)
response = hip_profile.create(payload)
Creating a HIP Profile with Negative Match
# Negative match (NOT operator)negative_profile = {
"name": "non-windows-hosts",
"description": "All non-Windows hosts",
"folder": "Shared",
"match": 'not ("is-win")' # NOT operator with parentheses
}
response = hip_profile.create(negative_profile)
"name": "non-windows-hosts",
"description": "All non-Windows hosts",
"folder": "Shared",
"match": 'not ("is-win")' # NOT operator with parentheses
}
response = hip_profile.create(negative_profile)
Updating a HIP Profile
from scm.models.objects import HIPProfileUpdateModel
from uuid import UUID
# Using model directlyupdate_model = HIPProfileUpdateModel(
id=UUID("123e4567-e89b-12d3-a456-426655440000"),
name="secure-workstation",
description="Updated secure Windows workstation profile",
match='"is-win" and "is-firewall-enabled" and "is-antivirus-running" and "is-disk-encrypted"'
)
response = hip_profile.update(update_model)
from uuid import UUID
# Using model directlyupdate_model = HIPProfileUpdateModel(
id=UUID("123e4567-e89b-12d3-a456-426655440000"),
name="secure-workstation",
description="Updated secure Windows workstation profile",
match='"is-win" and "is-firewall-enabled" and "is-antivirus-running" and "is-disk-encrypted"'
)
response = hip_profile.update(update_model)
Match Expression Syntax
The match field supports a powerful expression language for defining HIP profile match criteria:
# Basic object reference - use double quotes around object namesmatch = '"is-win"'
# Boolean AND operationmatch = '"is-win" and "is-firewall-enabled"'
# Boolean OR operationmatch = '"is-win" or "is-mac"'
# Boolean NOT operationmatch = 'not ("is-win")'
# Combining operators with parenthesesmatch = '("is-win" or "is-mac") and "is-firewall-enabled"'
# Complex nested expressionsmatch = '("is-win" and "is-firewall-enabled") or ("is-mac" and "is-mac-firewall-enabled")'
# Boolean AND operationmatch = '"is-win" and "is-firewall-enabled"'
# Boolean OR operationmatch = '"is-win" or "is-mac"'
# Boolean NOT operationmatch = 'not ("is-win")'
# Combining operators with parenthesesmatch = '("is-win" or "is-mac") and "is-firewall-enabled"'
# Complex nested expressionsmatch = '("is-win" and "is-firewall-enabled") or ("is-mac" and "is-mac-firewall-enabled")'
Best Practices
-
Match Expression Design
- Use quoted object names (e.g.,
"is-win") - Maintain clear boolean logic with parentheses
- Verify HIP objects exist before referencing them
- Keep expressions simple and maintainable
- Test expressions against expected hosts
- Use quoted object names (e.g.,
-
Container Management
- Always specify exactly one container type
- Use consistent container names
- Validate container existence
- Group related profiles
-
Performance
- Keep match expressions concise
- Avoid overly complex expressions
- Test profile evaluation performance
- Consider impact on policy processing
-
Security
- Document profile purposes
- Review profiles regularly
- Use clear naming conventions
- Consider least privilege principles
- Validate match expressions
Related Models
- HIP Objects - See HIP Object Models