Create host information profile (HIP) notifications, create and manage HIP objects,
and create and manage HIP profiles that apply to the Prisma Access Agent across all
endpoints.
| Where Can I Use This? | What Do I Need? |
|---|
In the HIP Notifications tab of the Edit Global
Agent Settings page, you can create host information profile notifications, create and
manage HIP objects, and create and manage HIP Profiles that apply to the Prisma Access Agent across all endpoints.
The Prisma Access Agent collects information about the host it's
running on and submits this host information to the Prisma Access location (gateway)
upon successful connection. The gateway matches this raw host information submitted by
the Prisma Access Agent against any HIP objects and HIP Profiles that you have
defined. If it finds a match, it generates an entry in the HIP Match log. Additionally,
if it finds a HIP Profile match in a policy rule, it enforces the corresponding security
policy.
HIP checks are performed when the app connects to the gateway and
subsequent checks are performed hourly while the Prisma Access Agent is connected.
The Prisma Access Agent can request an updated HIP report if the previous HIP
check has changed. Only the latest HIP report is retained on the gateway per endpoint.
Using host information profiles for policy enforcement enables granular
security that ensures the remote hosts accessing your critical resources are adequately
maintained and adhere with your security standards before they are allowed access to
your network resources. For example, before allowing access to your most sensitive data
systems, you might want to ensure that the hosts accessing the data have encryption
enabled on their hard drives. You can enforce this policy by creating a security rule
that only allows access to the application if the endpoint system has encryption
enabled.
In addition, for endpoints that are not in compliance with this rule, you
can create a notification message that alerts users as to why they have been denied
access. You can also provide a link to the location where they can access the
installation program for the missing encryption software. To allow the user to access
that file share, you will have to create a corresponding security rule allowing access
to the particular share for hosts with that specific HIP Profile match.
You can complete the following tasks:
