This section describes how to configure host compliance services-based security
policy
To enable the use of HCP in security policy rule enforcement, you must complete the
following procedures:
Create Host Compliance Object: You start by creating individual HCOs for each specific
security check you want to perform. For example, you can create one object to check
for Windows 10, another for an up to date antivirus, and a third for disk
encryption.
Create Host Compliance Profile with Host Compliance Objects: You then create a HCP by using one or
more HCOs . For example, you can create a 'Compliant Windows Devices' profile that
requires a device to match all three of the objects- Windows 10 AND up to date
antivirus AND disk encryption.
Enable User-ID: You must
enable User-ID so that the firewall generates HIP Match logs entries.
Apply the Host Compliance Profile to a Security Policy: You must add the HCP as a matching criterion in
your security policy rules. For example, you can create a rule that says, 'If a
device matches the 'Compliant Windows Devices' HIP profile, and then, allow it to
access our internal servers'.
(Optional)Configure Service Route for HCS: You can configure the service route only in
scenarios where the HCS traffic should be routed separately from the management
interface, or where the management interface does not have internet
connectivity