The Host Compliance Service (HCS) for GlobalProtect introduces a cloud-hosted, highly
available service that centralizes endpoint posture assessment, distribution, and security
policy rule enforcement.
Where Can I Use This?
What Do I Need?
NGFW managed by Panorama
GlobalProtect Subscription License
GlobalProtect app 6.0. or later versions
PAN-OS 12.1.2 and later versions
Cloud Identity Engine
Device Certificate
The Host Compliance Service (HCS) for GlobalProtect introduces a cloud-hosted, highly
available service that centralizes endpoint posture assessment, distribution, and
security policy rule enforcement.
The HCS centralizes endpoint security by processing full HIP reports in the cloud and
distributing only the final compliance data or verdicts to subscribed products like NGFW
deployments for policy rule enforcement, which eliminates redundant processing on each
firewall.
GlobalProtect app continues to send Host Compliance reports to GlobalProtect gateways,
but the gateways now send these reports to the cloud-hosted HCS, if the HCS is enabled.
The HCS processes HIP reports in the cloud, performs the evaluation against your defined
security policies, and converts them into compliance verdicts and send those verdicts to
the next generation firewall.
The HCS feature significantly improves HIP redistribution for large-scale GlobalProtect
deployments. It addresses the challenges of delayed host information updates and
scalability issues.
HCS for GlobalProtect provides:
Simplified configuration of host compliance objects and host compliance
profiles.
Improved scalability and cost-effectiveness for HIP redistribution, eliminating
the need for additional on-premises infrastructure.
Use the following procedure to configure the HCS for the GlobalProtect as listed out in
three sections: