Host Compliance Service
Focus
Focus
GlobalProtect

Host Compliance Service

Table of Contents

Host Compliance Service

The Host Compliance Service (HCS) for GlobalProtect introduces a cloud-hosted, highly available service that centralizes endpoint posture assessment, distribution, and security policy rule enforcement.
Where Can I Use This?What Do I Need?
  • NGFW managed by Panorama
  • GlobalProtect Subscription License
  • GlobalProtect app 6.0. or later versions
  • PAN-OS 12.1.2 and later versions
  • Cloud Identity Engine
  • Device Certificate
The Host Compliance Service (HCS) for GlobalProtect introduces a cloud-hosted, highly available service that centralizes endpoint posture assessment, distribution, and security policy rule enforcement.
The HCS centralizes endpoint security by processing full HIP reports in the cloud and distributing only the final compliance data or verdicts to subscribed products like NGFW deployments for policy rule enforcement, which eliminates redundant processing on each firewall.
GlobalProtect app continues to send Host Compliance reports to GlobalProtect gateways, but the gateways now send these reports to the cloud-hosted HCS, if the HCS is enabled. The HCS processes HIP reports in the cloud, performs the evaluation against your defined security policies, and converts them into compliance verdicts and send those verdicts to the next generation firewall.
The HCS feature significantly improves HIP redistribution for large-scale GlobalProtect deployments. It addresses the challenges of delayed host information updates and scalability issues.
HCS for GlobalProtect provides:
  • Simplified configuration of host compliance objects and host compliance profiles.
  • Improved scalability and cost-effectiveness for HIP redistribution, eliminating the need for additional on-premises infrastructure.
Use the following procedure to configure the HCS for the GlobalProtect as listed out in three sections:
  1. Enable Host Compliance Service
  2. Configure Cloud Redistribution
  3. Configure Host Compliance Services-based Security Policy
Before you begin: