Configure HIP Notifications for the Prisma Access Agent
Create host information profile notifications, create and manage HIP
objects, and create and manage HIP Profiles that apply to the Prisma Access Agent
across all endpoints.
Where Can I Use This?
What Do I Need?
Prisma Access (Managed by Strata Cloud Manager)
Prisma Access 5.1 Preferred or Innovation
Prisma Accesslicense with the
Mobile User subscription
Prisma Access Agent version:
25.1.0.5
macOS 14 and later or Windows 10 version 2024 and later desktop devices
Contact your Palo Alto Networks account representative to
activate the Prisma Access Agent feature
In the HIP Notifications tab of the Edit Global
Agent Settings page, you can create host information profile notifications, create and
manage HIP objects, and create and manage HIP Profiles that apply to the Prisma Access Agent across all endpoints.
The Prisma Access Agent collects information about the host it's running
on and submits this host information to the gateway upon successful connection. The
gateway matches this raw host information submitted by the Prisma Access Agent against
any HIP objects and HIP Profiles that you have defined. If it finds a match, it
generates an entry in the HIP Match log. Additionally, if it finds a HIP Profile match
in a policy rule, it enforces the corresponding security policy.
HIP checks are performed when the app connects to the gateway and
subsequent checks are performed hourly while the Prisma Access Agent is connected. The
gateway can request an updated HIP report if the previous HIP check has changed. Only
the latest HIP report is retained on the gateway per endpoint.
Using host information profiles for policy enforcement enables granular
security that ensures the remote hosts accessing your critical resources are adequately
maintained and adhere with your security standards before they are allowed access to
your network resources. For example, before allowing access to your most sensitive data
systems, you might want to ensure that the hosts accessing the data have encryption
enabled on their hard drives. You can enforce this policy by creating a security rule
that only allows access to the application if the hard drives on the endpoint are
encrypted.
In addition, for endpoints that are not in compliance with this rule, you
can create a notification message that alerts users as to why they have been denied
access. You can also provide a link to the location where they can access the
installation program for the missing encryption software. To allow the user to access
that file share, you will have to create a corresponding security rule allowing access
to the particular share for hosts with that specific HIP Profile match. You have the
option to configure HIP notifications for both HIP match and nonmatch. The notification
can be sent as a pop-up message or a system tray balloon.
