How Does the Gateway Use the Host Information to Enforce Policy?
Focus
Focus
GlobalProtect

How Does the Gateway Use the Host Information to Enforce Policy?

Table of Contents

How Does the Gateway Use the Host Information to Enforce Policy?

The gateway uses the host information to enforce policy based on HIP object and HIP profile matches.
While the app gets the information about what information to collect from the client configuration downloaded from the portal, you define which host attributes you are interested in monitoring and/or using for policy enforcement by creating HIP objects and HIP profiles on the gateway(s):
  • HIP Objects—The matching criteria used to filter out the host information you are interested in using to enforce policy from the raw data reported by the app. For example, while the raw host data may include information about several antivirus packages that are installed on the endpoint, you may only be interested in one particular application that you require within your organization. In this case, you would create a HIP object to match the specific application you are interested in enforcing.
    The best way to determine what HIP objects you need is to determine how you will use the host information you collect to enforce policy. Keep in mind that the HIP objects themselves are merely building blocks that allow you to create the HIP profiles that are used in your security policies. Therefore, you may want to keep your objects simple, matching on one thing, such as the presence of a particular type of required software, membership in a specific domain, or the presence of a specific endpoint OS. By doing this, you have the flexibility to create a very granular (and very powerful) HIP-augmented policy.
  • HIP Profiles—A collection of HIP objects that are evaluated together, either for monitoring or for security policy enforcement. When you create your HIP profiles, you can combine the HIP objects you previously created (as well as other HIP profiles) using Boolean logic, such that when a traffic flow is evaluated against the resulting HIP profile, it either matches or does not match. If there is a match, the corresponding policy rule is enforced. If there is no match, the flow is evaluated against the next rule, as with any other policy matching criteria.
Unlike a traffic log—which only creates a log entry if there is a policy match—the HIP Match log generates an entry whenever the raw data submitted by an app matches a HIP object and/or a HIP profile you have defined. This makes the HIP Match log a good resource for monitoring the state of the endpoints in your network over time—before attaching your HIP profiles to security policies—in order to help you determine exactly what policies you believe need enforcement. See Configure HIP-Based Policy Enforcement for details on how to create HIP objects and HIP profiles and use them as policy match criteria.