Configure HIP Notifications for the Dynamic Privilege Access Prisma Access Agent
Focus
Focus
Prisma Access

Configure HIP Notifications for the Dynamic Privilege Access Prisma Access Agent

Table of Contents

Configure HIP Notifications for the Dynamic Privilege Access Prisma Access Agent

Create host information profile (HIP) notifications, create and manage HIP objects, and create and manage HIP profiles that apply to the Prisma Access Agent across all endpoints.
Where Can I Use This?What Do I Need?
  • Prisma Access (Managed by Strata Cloud Manager)
  • Prisma Access 5.1 Innovation
  • Prisma Access license with the Mobile User subscription
  • macOS 12 or later desktop devices or Windows 10 version 2024 or later or Windows 11 desktop devices
  • Role: Superuser
In the HIP Notifications tab of the Edit Global Agent Settings page, you can create host information profile notifications, create and manage HIP objects, and create and manage HIP Profiles that apply to the Prisma Access Agent across all endpoints.
The Prisma Access Agent collects information about the host it's running on and submits this host information to the Prisma Access location (gateway) upon successful connection. The gateway matches this raw host information submitted by the Prisma Access Agent against any HIP objects and HIP Profiles that you have defined. If it finds a match, it generates an entry in the HIP Match log. Additionally, if it finds a HIP Profile match in a policy rule, it enforces the corresponding security policy.
HIP checks are performed when the app connects to the gateway and subsequent checks are performed hourly while the Prisma Access Agent is connected. The Prisma Access Agent can request an updated HIP report if the previous HIP check has changed. Only the latest HIP report is retained on the gateway per endpoint.
Using host information profiles for policy enforcement enables granular security that ensures the remote hosts accessing your critical resources are adequately maintained and adhere with your security standards before they are allowed access to your network resources. For example, before allowing access to your most sensitive data systems, you might want to ensure that the hosts accessing the data have encryption enabled on their hard drives. You can enforce this policy by creating a security rule that only allows access to the application if the endpoint system has encryption enabled.
In addition, for endpoints that are not in compliance with this rule, you can create a notification message that alerts users as to why they have been denied access. You can also provide a link to the location where they can access the installation program for the missing encryption software. To allow the user to access that file share, you will have to create a corresponding security rule allowing access to the particular share for hosts with that specific HIP Profile match.