GlobalProtect Administrator's Guide
  • GlobalProtect Administrator's Guide
  • GlobalProtect Documentation
  • All Documentation
>
Configure HIP Process Remediation
Focus
Download PDF
Focus
  1. Home
  2. GlobalProtect
  3. Host Information
  4. Configure HIP Process Remediation
Download PDF
GlobalProtect

Configure HIP Process Remediation

Table of Contents

Configure HIP Process Remediation

HIP Process Remediation allows configuring custom checks and scripts to automatically remediate failed process checks on GlobalProtect endpoints.
Where Can I Use This?What Do I Need?
  • Prisma Access
  • GlobalProtect Subscription
  • Prisma Access Mobile Users license (for use with Prisma Access)
  • GlobalProtect app version 6.2 or later for Windows and macOS
  • Content release version 8699-7991 or later
Use the following procedure to configure the GlobalProtect app to run a remediation script whenever a GlobalProtect endpoint fails one or more process checks to help the endpoint recover from a HIP check failures. With this feature enabled, the GlobalProtect app will provide a specified timeout period in which the endpoint can run the remediation script if it fails a process check. After the timeout period expires, the GlobalProtect app resubmits the HIP report.
  1. Set up custom process checks.
    The remediation scripts you write should check whether the processes you have set up in the Custom Checks are running and, if not, execute the script and start the process.
  2. Configure a HIP remediation timeout on the portal.
    1. Select NetworkGlobalProtectPortals.
    2. Select the portal configuration to which you are adding the agent configuration, and then select the Agent tab.
    3. Select the agent configuration that you want to modify, or Add a new one.
    4. Select the App tab.
    5. To enable the HIP remediation feature, set a HIP Remediation Process Timeout (sec).
      By default, this field is set to 0, indicating that the feature is disabled. Enter a value from 1-600 seconds to indicate the amount of time you want to allow for the remediation script to finish.
    6. Click OK twice to save your app and portal configurations.
    7. Commit the changes.
  3. Deploy the remediation script to your endpoints using mobile device management (MDM).
    As a best practice, use standard formats for the scripts you deploy (for example, deploy shell scripts on macOS endpoints and batch scripts on Windows endpoints). The name of the script is case sensitive and must use the predefined name and location as follows:
    • Windows
      Location: \Program Files\Palo Alto Networks\GlobalProtect\
      Naming convention: hip-remediation-script.bat
    • macOS
      Location: /Applications/GlobalProtect.app/Contents/Resources/
      Naming convention: hip-remediation-script.sh
  4. (Optional) Customize how the script runs on the endpoint by setting a checksum and/or a custom error message and defining the context in which the script will run.
    • macOS
      1. Calculate the sha 256 checksum: shasum -a 256 hip-remediation-script.sh.
      2. Edit the following values in the plist as needed:
        • checksum—Specify the checksum you generated
        • error-msg—Enter the custom error message you want to display to the end user when remediation fails
        • success-msg—Enter the custom error message you want to display to the end user when remediation succeeds
        • context—set to admin or user to specify the context in which to run the remediation script. By default, the script runs in the user context.
      3. Replace the GlobalProtect plist by copying the modified.plist to overwrite the default plist: sudo cp modified.plist /Library/Preferences/com.paloaltonetworks.GlobalProtect.settings.plist.
      4. Stop/start PanGPS:
        launchctl stop com.paloaltonetworks.gp.pangps
        launchctl start com.paloaltonetworks.gp.pangps
    • Windows
      1. Create the checksum for the remediation script: certutil -hashfile hip-remediation-script.bat HASH256 .
      2. Deploy the registry setting using the Windows default registry editor.
        In the Windows Registry, go to: \HKEY_LOCAL_MACHINE > SOFTWARE> Palo Alto Networks > GlobalProtect > Settings > hip-remediation-script and set the following keys:In the Windows Registry, go to: \HKEY_LOCAL_MACHINE > SOFTWARE> Palo Alto Networks > GlobalProtect > Settings > hip-remediation-script and set the following keys:
        • checksum—Specify the checksum you generated
        • error-msg—Enter the custom error message you want to display to the end user when remediation fails
        • success-msg—Enter the custom error message you want to display to the end user when remediation succeeds
        • context—set to admin or user to specify the context in which to run the remediation script. By default, the script runs in the user context.
      3. To restart GlobalProtect, in the Windows Services screen, find the PanGPS service and click Restart the service.

Technical Documentation

Company

Legal Notices

© 2025 Palo Alto Networks, Inc. All rights reserved.