How Do I Get Visibility into the State of the Endpoints?
Whenever an endpoint connects to GlobalProtect, the
app presents its HIP data to the gateway. The gateway then uses
this data to determine which HIP objects and/or HIP profiles the
host matches. For each match, it generates a HIP Match log entry.
Unlike a traffic log—which only creates a log entry if there is
a policy match—the HIP Match log generates an entry whenever the
raw data submitted by an app matches a HIP object and/or a HIP profile
you have defined. This makes the HIP Match log a good resource for
monitoring the state of the endpoints in your network over time—before
attaching your HIP profiles to security policies—in order to help
you determine exactly what policies you believe need enforcement.
Because a HIP Match log is only generated when the host state
matches a HIP object you have created, for full visibility into
the endpoint state, you may need to create multiple HIP objects to
log HIP matches for endpoints that are in compliance with a particular
state (for security policy enforcement purposes) as well as endpoints
that are non-compliant (for visibility). For example, suppose you
want to prevent an endpoint that does not have antivirus or anti-spyware
software installed from connecting to the network. In this case,
you would create a HIP object that matches hosts that have a particular
antivirus or anti-spyware software installed. By including this
object in a HIP profile and attaching it to the security policy
rule that allows access from your VPN zone, you can ensure that
only hosts that are protected with antivirus or anti-spyware software
can connect.
In this example, you would not be able to view which endpoints
are not in compliance with this requirement in the HIP Match log.
If you want to view a log for endpoints that do not have antivirus
or anti-spyware software installed so that you can follow up with
these users, you can also create a HIP object that matches the condition
where the antivirus or anti-spyware software is not installed. Because
this object is only required for logging purposes, you do not need to
add it to a HIP profile or attach it to a security policy rule.