Configure Host Compliance Services-based Security Policy

• Create Host Compliance Object: You start by creating individual HCOs for each specific security check you want to perform. For example, you can create one object to check for Windows 10, another for an up to date antivirus, and a third for disk encryption.
• Create Host Compliance Profile with Host Compliance Objects: You then create a HCP by using one or more HCOs . For example, you can create a 'Compliant Windows Devices' profile that requires a device to match all three of the objects- Windows 10 AND up to date antivirus AND disk encryption.
• Enable User-ID: You must enable User-ID so that the firewall generates HIP Match logs entries.
• Apply the Host Compliance Profile to a Security Policy: You must add the HCP as a matching criterion in your security policy rules. For example, you can create a rule that says, 'If a device matches the 'Compliant Windows Devices' HIP profile, and then, allow it to access our internal servers'.
• Define GlobalProtect Host Compliance Notifications: You can define the notification messages end-users see when a security policy rule with a HCP is enforced.
• (Optional)Configure Service Route for HCS: You can configure the service route only in scenarios where the HCS traffic should be routed separately from the management interface, or where the management interface does not have internet connectivity
• Verify that your Host Compliance Profiles are Working as Expected: You can monitor the traffic that is hitting your Host Compliance Profile-enabled security policy rules using the Traffic log.
• View and Monitor Host Compliance Service Details: You can view HCS connection status, verdict details, HCP details added to security policy rules.