Configure HIP Data Collection Settings for the Prisma Access Agent

Configure HIP Data Collection Settings for the Prisma Access Agent (Strata Cloud Manager)

1. From Strata Cloud Manager, Select WorkflowsPrisma Access SetupAccess AgentPrisma Access Agent.
2. Select an existing agent configuration or Add Agent Settings to create a new configuration.

   
3. If you need to create or update an app configuration rule, follow the instructions in Configure Agent Settings for the Prisma Access Agent. Otherwise, go to the next step.
4. In the HIP Data Collection section, select Collect HIP Data to enable HIP data collection on the endpoints that logged in to the gateway. Default: Enabled
5. Select Show Advanced Options.

   
6. Specify the Max Wait Time (in seconds) that the Prisma Access Agent should search for HIP data before submitting the available data. The range is 10-60 seconds; the default is 20 seconds.
7. Select the Certificate Profile that the gateway uses to match the machine certificate sent by the Prisma Access Agent.

   If you want to use a certificate profile that isn't on the list, Add Certificate Profile.

   • (Required) Name—Enter a name for the certificate profile. The name is case-sensitive and must be unique. Use only letters, numbers, spaces, hyphens, and underscores.

     

   • (Required) CA Certificates—Add a CA Certificate to assign to the profile.
     Optionally, if the gateway uses the Online Certificate Status Protocol (OCSP) to verify certificate revocation status, configure the following fields to override the default behavior. For most deployments, these fields do not apply.
     • By default, the gateway uses the Authority Information Access (AIA) information from the certificate to extract the OCSP responder information. To override the AIA information, enter a Default OCSP URL (starting with http:// or https://).
     • By default, the gateway uses the certificate selected in the CA Certificate field to validate OCSP responses. To use a different certificate for validation, select it in the OCSP Verify CA Certificate field.
   • Show Advance Options—Shows more options for the certificate profile.

     

   • Username Field—If Prisma Access Agent uses only certificates for gateway authentication, Prisma Access uses the certificate field you select in the Username Field drop-down as the username and matches it to the IP address for the User-ID service:
     • Subject—The Common Name.
     • Subject Alt—The Email or Principal Name.
     • None—Typically for the Prisma Access Agent device authentication.
   • User Domain—Enter the NetBIOS domain so that Prisma Access can map users through the User-ID.
   • Use CRL—Select this option to use a certificate revocation list (CRL) to verify the revocation status of certificates.
   • USE OCSP—Select this option to use OCSP to verify the revocation status of certificates.
     If you select both OCSP and CRL, the gateway first tries OCSP, and only falls back to the CRL method if the OCSP responder is unavailable.
   • CRL Receive Timeout—Specify the interval (1-60 seconds) after which the gateway stops waiting for a response from the CRL service.
   • OCSP Receive Timeout—Specify the interval (1-60 seconds) after which the gateway stops waiting for a response from the OCSP responder.
   • Certificate Status Timeout—Specify the interval (1-60 seconds) after which the gateway stops waiting for a response from any certificate status service and applies any session blocking logic you define.
   • Block session if certificate status is unknown—Select this option if you want the gateway to block sessions when the OCSP or CRL service returns a certificate revocation status of unknown. Otherwise, the gateway proceeds with the sessions.
   • Block sessions if certificate status cannot be retrieved within timeout—Select this option if you want the gateway to block sessions after it registers an OCSP or CRL request timeout. Otherwise, the gateway proceeds with the sessions.
   • Block sessions if the certificate was not issued to the authenticating device—Select this option if you want the gateway to block sessions when the serial number attribute in the subject of the client certificate does not match the host ID that the Prisma Access Agent reports for the endpoint. Otherwise, the gateway allows the sessions. This option applies only to Prisma Access Agent certificate authentication.

   Save your settings when you're done.
8. Edit Custom Checks to define any custom data you want to collect from the hosts running this configuration.

   

   For example, if you have any required applications that are not included in the Vendor or Product lists for creating HIP objects, you can create a custom check to determine whether that application is installed (it has a corresponding Windows registry or Mac plist key) or is currently running (has a corresponding running process):

   • Windows—Add a check for a particular Registry Key or Registry Value. To restrict data collection to a specific Registry Value, Add and then define the specific registry values.
   • Mac—Add a check for a particular Plist key or Key value. To restrict the data collection to specific key values, Add the Key values. Click OK to save the settings.
   • Process List—Add the processes you want to check for on user endpoints to see if they are running. For example, to determine whether a software application is running, add the name of the executable file to the process list. You can add a process to the Windows tab, the Mac tab, or both.

   Save the custom check settings when you are done.
9. When you have finished configuring the Prisma Access Agent settings, Save the configuration.

   For Panorama Managed Prisma Access, Create the configuration.