Configure HIP Process Remediation

Set up custom process checks.

The remediation scripts you write should check whether the processes you have set up in the

Custom Checks

are running and, if not, execute the script and start the process.

Configure a HIP remediation timeout on the portal.

Select
Network
GlobalProtect
Portals
.
Select the portal configuration to which you are adding the agent configuration, and then select the
Agent
tab.
Select the agent configuration that you want to modify, or
Add
a new one.
Select the
App
tab.
To enable the HIP remediation feature, set a
HIP Remediation Process Timeout (sec)
.
By default, this field is set to 0, indicating that the feature is disabled. Enter a value from 1-600 seconds to indicate the amount of time you want to allow for the remediation script to finish.

Click
OK
twice to save your app and portal configurations.
Commit
the changes.

Deploy the remediation script to your endpoints using mobile device management (MDM).

As a best practice, use standard formats for the scripts you deploy (for example, deploy shell scripts on macOS endpoints and batch scripts on Windows endpoints). The name of the script is case sensitive and must use the predefined name and location as follows:

Windows
Location:
\Program Files\Palo Alto Networks\GlobalProtect\
Naming convention:
hip-remediation-script.bat
macOS
Location:
/Applications/GlobalProtect.app/Contents/Resources/
Naming convention:
hip-remediation-script.sh

(

Optional

) Customize how the script runs on the endpoint by setting a checksum and/or a custom error message and defining the context in which the script will run.

macOS

Calculate the sha 256 checksum:
shasum -a 256 hip-remediation-script.sh
.
Edit the following values in the plist as needed:
checksum
—Specify the checksum you generated
error-msg
—Enter the custom error message you want to display to the end user when remediation fails
success-msg
—Enter the custom error message you want to display to the end user when remediation succeeds
context
—set to
admin
or
user
to specify the context in which to run the remediation script. By default, the script runs in the user context.
Replace the GlobalProtect plist by copying the modified.plist to overwrite the default plist:
sudo cp modified.plist /Library/Preferences/com.paloaltonetworks.GlobalProtect.settings.plist
.

Stop/start PanGPS:
launchctl stop com.paloaltonetworks.gp.pangps
launchctl start com.paloaltonetworks.gp.pangps

Windows

Create the checksum for the remediation script:

certutil -hashfile hip-remediation-script.bat HASH256

.

Deploy the registry setting using the Windows default registry editor.

In the Windows Registry, go to:

\HKEY_LOCAL_MACHINE > SOFTWARE> Palo Alto Networks > GlobalProtect > Settings > hip-remediation-script

and set the following keys:In the Windows Registry, go to:

\HKEY_LOCAL_MACHINE > SOFTWARE> Palo Alto Networks > GlobalProtect > Settings > hip-remediation-script

and set the following keys:



checksum
—Specify the checksum you generated
error-msg
—Enter the custom error message you want to display to the end user when remediation fails
success-msg
—Enter the custom error message you want to display to the end user when remediation succeeds
context
—set to
admin
or
user
to specify the context in which to run the remediation script. By default, the script runs in the user context.

To restart GlobalProtect, in the Windows Services screen, find the

PanGPS

service and click

Restart the service

.