GlobalProtect
Collect Application and Process Data From Endpoints
Table of Contents
Collect Application and Process Data From Endpoints
Enable custom checks to collect application and process data from endpoints and use
it for security policy matching.
The Windows Registry, macOS plist, and Linux
process list can be used to configure and store settings for Windows
and macOS operating systems, respectively. You can create a custom
check that allows you to determine whether an application is installed
(has a corresponding registry or plist key) or is running (has a
corresponding running process) on a Windows, macOS, or Linux endpoint.
Enabling custom checks instructs the GlobalProtect app to collect
specific registry information (Registry Keys and Registry Key Values
from Windows endpoints) or preference list (plist) information (plist
and plist keys from macOS endpoints) or has a corresponding process
(name of the process from Linux endpoints). The data that you define
to be collected in a custom check is included in the raw Host
Information data collected by the GlobalProtect app and then
submitted to the GlobalProtect gateway when the app authenticates
and connects to the gateway. For more information on defining app
settings directly from the Windows Registry, the global macOS plist,
or the Linux pre-deployment configuration, see Deploy
App Settings Transparently.
To monitor the data collected
with custom checks, you can create a HIP object. You can then add
the HIP object to a HIP profile to use the collected data to match to
endpoint traffic and enforce security rules. The gateway uses the
HIP object (which matches to the data defined in the custom check)
to filter the raw host information submitted by the app. When the
gateway matches the endpoint data to a HIP object, a HIP Match log
entry is generated for the data. The HIP profile also allows the
gateway to match the collected data to a security rule. If the HIP
profile is used as criteria for a security policy rule, the gateway
enforces that security rule on the matching traffic.
Use the
following steps to enable custom checks to collect data from Windows macOS,
or Linux endpoints. This workflow also includes optional steps to
create a HIP object and HIP profile for a custom check, which allows
you to use endpoint data as matching criteria for security policies
to monitor, identify, and act on traffic.
On Windows,
macOS, and Linux devices, when you configure
Custom Checks
such
as to collect registry or plist entries, GlobalProtect hides this
information in the Host Profile summary of the GlobalProtect app.- Enable the GlobalProtect app to collect Windows Registry information from Windows endpoints, plist information from macOS endpoints, or process list information from Linux endpoints. The type of information collected can include whether or not an application is installed on the endpoint, or specific attributes or properties of that application.Collect data from a Windows endpoint:
- Select .
- Select an existing portal configuration orAdda new one.
- On theAgenttab, select the agent configuration that you want to modify orAdda new one.
- SelectHIP Data Collection.
- Enable the GlobalProtect app toCollect HIP Data.
- Select , and thenAddtheRegistry Keythat you want to collect information about. If you want to restrict data collection to a value contained within that Registry Key, add the correspondingRegistry Value.
Collect data from a macOS endpoint:- Select .
- Select an existing portal configuration orAdda new one.
- On theAgenttab, select the agent configuration that you want to modify orAdda new one.
- SelectHIP Data Collection.
- Enable the GlobalProtect app toCollect HIP Data
- Select , and thenAddthePlistthat you want to collect information about and the corresponding plistKeyto determine if the application is installed.
For example,AddthePlistcom.apple.screensaverand theKeyaskForPasswordto collect information on whether a password is required to wake the macOS endpoint after the screen saver begins:
Collect data from a Linux endpoint:- Select .
- Select an existing portal configuration orAdda new one.
- On theAgenttab, select the agent configuration that you want to modify orAdda new one.
- SelectHIP Data Collection.
- Enable the GlobalProtect app toCollect HIP Data.
- Select , and thenAddtheProcess Listthat you want to collect information about.
- (Optional) Check if a specific process is running on the endpoint.
- Select .
- Select an existing portal configuration orAdda new one.
- On theAgenttab, select the agent configuration that you want to modify orAdda new one.
- SelectHIP Data Collection.
- Enable the GlobalProtect app toCollect HIP Data
- Select ,Mac, orLinux.
- Addthe name of the process that you want to collect information about to theProcess List.
- Save the custom check.ClickOKandCommitthe changes.
- (Optional) Create a HIP Object to match to a Registry Key (Windows), plist (macOS), or process list (Linux), which allows you to filter the raw host information collected from the GlobalProtect app to monitor the data for the custom check.With a HIP object defined for the custom check data, the gateway matches the raw data submitted from the app to the HIP object, and a HIP Match log entry is generated for the data ().For Windows, macOS, and Linux endpoints:
- Select .
- Select an existing HIP object orAdda new one.
- On theCustom Checkstab, select the check box to enableCustom Checks.
For Windows endpoints only:- To check Windows endpoints for a specific registry key, select , and thenAddthe registry key to match. When prompted, enter theRegistry Keyand then configure one of the following options:
- To match on the default value data for the registry key, enter the(Default) Value Data.
- To match endpoints that do not have the specified registry key, selectKey does not exist or match the specified value data.
Do not configure both the(Default) Value DataandKey does not exist or match the specified value dataoptions simultaneously. - To match on specific values within the registry key, select , and thenAddthe registry key to match. When prompted, enter theRegistry Key. ClickAddand then configure one of the following options:
- To match on specific values within the registry key, enter theRegistry Valueand correspondingValue Data.
- To match endpoints that do not have a specified registry value, enter theRegistry Valueand then select theNegatecheck box.To use this option, do not enter anyValue Datafor yourRegistry Key.
If you add more than one registry value to your registry key, the GlobalProtect gateway checks endpoints for all specified registry values.
- ClickOKto save the HIP object. You canCommitthe changes to view the data in theHIP Matchlogs at the next device check-in or continue to step 6.
For macOS endpoints only:- To check macOS endpoints for a specific plist, selectPlist, and thenAddthe plist for which you to want to check. When prompted, enter the name of thePlist. If you want to match macOS endpoints that do not have the specified plist, enable thePlist does not existoption.
- To match on a specific key-value pair within a plist, selectPlist, and thenAddthe plist for which you to want to check. When prompted, enter the name of thePlistand thenAddaKeyand correspondingValueto match. Alternatively, if you want to identify endpoints that do not have a specific key and value, you can selectNegateafter you add theKeyandValue.
- ClickOKto save the HIP object. You canCommitthe changes to view the data in theHIP Matchlogs at the next device check-in or continue to step 6.
For Linux endpoints only:- To check if a specific process is running on the Linux endpoint, selectProcess List, and thenAddthe corresponding process for which you to want to check. When prompted, enter the name of theProcess List.
- ClickOKto save the HIP object. You canCommitthe changes to view the data in theHIP Matchlogs at the next device check-in or continue to step 6.
- (Optional) Create a HIP profile to allow the HIP object to be evaluated against traffic.The HIP profile can be added to a security policy as an additional check for traffic matching that policy. When the traffic is matched to the HIP profile, the security policy rule is enforced on the traffic.For more details on creating a HIP profiles, see Configure HIP-Based Policy Enforcement.
- Select .
- Select an existing HIP profile orAdda new one.
- ClickAdd Match Criteriato open the HIP Objects/Profile Builder.
- Select theHIP objectthat you want to use as match criteria, and then click the add () icon to move it to the
Matcharea of the HIP Profile. - After you add the objects to the new HIP profile, clickOK, and thenCommitthe changes.
- Add the HIP profile to a security policy so the data collected with the custom check can be used to match to and act on traffic.Select , and then select an existing security policy orAdda new one. On theUsertab,AddtheHIP Profilesto the policy. For more details on security policies components and using security policies to match to and act on traffic, see Security Policy.