This chapter provides information on Host Information features on
GlobalProtect
Although you may have stringent security at your corporate network border, your network
is really only as secure as the endpoints that are accessing it. With today’s workforce
becoming more mobile and often requiring access to corporate resources from a variety of
locations—airports, coffee shops, hotels—and from a variety of endpoints—both
company-provisioned and personal—you must logically extend your network’s security to
your endpoints to ensure comprehensive and consistent security enforcement. To enforce
security policy rule, you can configure either Host Information Profiles (HIP) or Host
Compliance Service (HCS) for GlobalProtect:
The GlobalProtect Host Information
Profile (HIP) feature enables you to collect information about the
security status of your endpoints—such as whether they have the latest security
patches and antivirus definitions installed, whether they have disk encryption
enabled, whether the endpoint is jailbroken or rooted, or whether it is running
specific software you require within your organization—and base the decision as to
whether to allow or deny access to a specific host based on adherence to the host
policies you define.
(Starting from PAN-OS 12.1.2)The Host Compliance Service (HCS)
for GlobalProtect introduces a cloud-hosted, highly available service that
centralizes endpoint posture assessment, distribution, and security policy rule
enforcement. The HCS centralizes endpoint security by processing full HIP reports in
the cloud and distributing only the final compliance data or verdicts to subscribed
products like NGFW deployments for policy rule enforcement, which eliminates
redundant processing on each firewall.
