Enable Host Compliance Service

1. On the firewall(s) hosting GlobalProtect gateway(s), select DeviceSetupManagementPAN-OS Edge Services Settings.

2. Select the Enable Cloud Host Compliance Service check box to connect to the cloud services. The Connection status displays whether the HCS is enabled or not. Verify that the status indicator turns Green, confirming a successful connection to the cloud.

   By default, HCS is disabled.

   Below are the various connection statuses:

   • Gray: Service is not enabled.
   • Green: Service is enabled and successfully connected to the cloud.
   • Red: Service is enabled and successfully connected to the cloud.
     1. Check for Device Certificate Validity for the firewall where the HCS is enabled.
     2. Check Cloud FQDN. Contact Support team to resolve this issue.

   If your device is in a high availability (HA) configuration, then the HCS connection for the active-secondary/passive device will show as Not Connected (Red) status. This is an expected behavior and is accompanied by the message Device is not Active/Primary on the MonitorHost Compliance page.

   Note the following behavior regarding HCS in a HA environment:

   • Active-Active Mode: Verdict synchronization occurs in one direction only, from the primary device to the secondary device. This will ensure that the secondary device, which also processes traffic, has up-to-date verdicts.
   • Active-Passive Mode: Continuous synchronization to the passive device does not occur. In the event of a failover, the newly active device automatically downloads the complete set of verdicts from the cloud.

   The Active-Active sync happens on a best-effort basis and requires that device configurations are kept synchronized between the HA peers. If policies are inconsistent between the devices, verdict synchronization may fail or function unpredictably. This is a known limitation of the feature.