GlobalProtect
What Data Does the GlobalProtect App Collect?
Table of Contents
Expand All
|
Collapse All
GlobalProtect Docs
-
10.1 & Later
- 10.1 & Later
- 9.1 (EoL)
-
- How Does the App Know Which Certificate to Supply?
- Set Up Cloud Identity Engine Authentication
- Configure GlobalProtect to Facilitate Multi-Factor Authentication Notifications
- Enable Delivery of VSAs to a RADIUS Server
- Enable Group Mapping
-
-
- GlobalProtect App Minimum Hardware Requirements
- Download the GlobalProtect App Software Package for Hosting on the Portal
- Host App Updates on the Portal
- Host App Updates on a Web Server
- Test the App Installation
- Download and Install the GlobalProtect Mobile App
- View and Collect GlobalProtect App Logs
-
-
- Deploy App Settings in the Windows Registry
- Deploy App Settings from Msiexec
- Deploy Scripts Using the Windows Registry
- Deploy Scripts Using Msiexec
- Deploy Connect Before Logon Settings in the Windows Registry
- Deploy GlobalProtect Credential Provider Settings in the Windows Registry
- SSO Wrapping for Third-Party Credential Providers on Windows Endpoints
- Enable SSO Wrapping for Third-Party Credentials with the Windows Registry
- Enable SSO Wrapping for Third-Party Credentials with the Windows Installer
- Deploy App Settings to Linux Endpoints
- GlobalProtect Processes to be Whitelisted on EDR Deployments
-
-
- Mobile Device Management Overview
- Set Up the MDM Integration With GlobalProtect
- Qualified MDM Vendors
-
-
- Set Up the Microsoft Intune Environment for Android Endpoints
- Deploy the GlobalProtect App on Android Endpoints Using Microsoft Intune
- Create an App Configuration on Android Endpoints Using Microsoft Intune
- Configure Lockdown Mode for Always On Connect Method on Android Endpoints Using Microsoft Intune
-
- Deploy the GlobalProtect Mobile App Using Microsoft Intune
- Configure an Always On VPN Configuration for iOS Endpoints Using Microsoft Intune
- Configure a User-Initiated Remote Access VPN Configuration for iOS Endpoints Using Microsoft Intune
- Configure a Per-App VPN Configuration for iOS Endpoints Using Microsoft Intune
-
-
-
- Create a Smart Computer Group for GlobalProtect App Deployment
- Create a Single Configuration Profile for the GlobalProtect App for macOS
- Deploy the GlobalProtect Mobile App for macOS Using Jamf Pro
-
- Enable GlobalProtect System Extensions on macOS Endpoints Using Jamf Pro
- Enable GlobalProtect Network Extensions on macOS Big Sur Endpoints Using Jamf Pro
- Add a Configuration Profile for the GlobalProtect Enforcer by Using Jamf Pro 10.26.0
- Verify Configuration Profiles Deployed by Jamf Pro
- Remove System Extensions on macOS Monterey Endpoints Using Jamf Pro
- Non-Removable System Extensions on macOS Sequoia Endpoints Using Jamf Pro
- Uninstall the GlobalProtect Mobile App Using Jamf Pro
-
- Configure HIP-Based Policy Enforcement
- Configure HIP Exceptions for Patch Management
- Collect Application and Process Data From Endpoints
- Redistribute HIP Reports
-
- Identification and Quarantine of Compromised Devices Overview and License Requirements
- View Quarantined Device Information
- Manually Add and Delete Devices From the Quarantine List
- Automatically Quarantine a Device
- Use GlobalProtect and Security Policies to Block Access to Quarantined Devices
- Redistribute Device Quarantine Information from Panorama
- Troubleshoot HIP Issues
-
-
- Enable and Verify FIPS-CC Mode on Windows Endpoints
- Enable and Verify FIPS-CC Mode on macOS Endpoints
- Enable and Verify FIPS-CC Mode Using Workspace ONE on iOS Endpoints
- Enable FIPS Mode on Linux EndPoints with Ubuntu or RHEL
- Enable and Verify FIPS-CC Mode Using Microsoft Intune on Android Endpoints
- FIPS-CC Security Functions
- Resolve FIPS-CC Mode Issues
-
-
- Remote Access VPN (Authentication Profile)
- Remote Access VPN (Certificate Profile)
- Remote Access VPN with Two-Factor Authentication
- GlobalProtect Always On VPN Configuration
- Remote Access VPN with Pre-Logon
- User-Initiated Pre-Logon Connection
- GlobalProtect Multiple Gateway Configuration
- GlobalProtect for Internal HIP Checking and User-Based Access
- Mixed Internal and External Gateway Configuration
- Captive Portal and Enforce GlobalProtect for Network Access
- GlobalProtect on Windows 365 Cloud PC
-
- About GlobalProtect Cipher Selection
- Cipher Exchange Between the GlobalProtect App and Gateway
-
- Reference: GlobalProtect App Cryptographic Functions
-
- Reference: TLS Ciphers Supported by GlobalProtect Apps on macOS Endpoints
- Reference: TLS Ciphers Supported by GlobalProtect Apps on Windows Endpoints
- Reference: TLS Ciphers Supported by GlobalProtect Apps on Android 6.0.1 Endpoints
- Reference: TLS Ciphers Supported by GlobalProtect Apps on iOS 10.2.1 Endpoints
- Reference: TLS Ciphers Supported by GlobalProtect Apps on Chromebooks
- Ciphers Used to Set Up IPsec Tunnels
- SSL APIs
-
- View a Graphical Display of GlobalProtect User Activity in PAN-OS
- View All GlobalProtect Logs on a Dedicated Page in PAN-OS
- Event Descriptions for the GlobalProtect Logs in PAN-OS
- Filter GlobalProtect Logs for Gateway Latency in PAN-OS
- Restrict Access to GlobalProtect Logs in PAN-OS
- Forward GlobalProtect Logs to an External Service in PAN-OS
- Configure Custom Reports for GlobalProtect in PAN-OS
-
6.3
- 6.3
- 6.2
- 6.1
- 6.0
- 5.1
-
- Download and Install the GlobalProtect App for Windows
- Use Connect Before Logon
- Use Single Sign-On for Smart Card Authentication
- Use the GlobalProtect App for Windows
- Report an Issue From the GlobalProtect App for Windows
- Disconnect the GlobalProtect App for Windows
- Uninstall the GlobalProtect App for Windows
- Fix a Microsoft Installer Conflict
-
- Download and Install the GlobalProtect App for macOS
- Use the GlobalProtect App for macOS
- Report an Issue From the GlobalProtect App for macOS
- Disconnect the GlobalProtect App for macOS
- Uninstall the GlobalProtect App for macOS
- Remove the GlobalProtect Enforcer Kernel Extension
- Enable the GlobalProtect App for macOS to Use Client Certificates for Authentication
-
6.1
- 6.1
- 6.0
- 5.1
-
6.3
- 6.3
- 6.2
- 6.1
- 6.0
- 5.1
What Data Does the GlobalProtect App Collect?
The GlobalProtect app collects data about security packages and host information
installed on the device, such as patch management, firewalls, anti-malware software, and
disk backup and encryption.
By default, the GlobalProtect app collects vendor-specific data about the end user security
packages that are running on the endpoint (as compiled by the OPSWAT global partnership
program) and reports this data to the GlobalProtect gateway for policy enforcement. See
the GlobalProtect 5.1 OPSWAT Support table, GlobalProtect 5.2 OPSWAT Support table, GlobalProtect 6.0 OPSWAT Support table, or
GlobalProtect 6.1 OPSWAT Support table for
details about the third-party vendor products that GlobalProtect can detect using the
specified OPSWAT SDK.
Starting with GlobalProtect app 5.2.6, support for OPSWAT
SDK V3 (end-of-life) will be removed and the GlobalProtect app will
only use OPSWAT SDK V4. Vendor and product names are based on OPSWAT
SDK V4. GlobalProtect app 5.2.6 and later release HIP check functionality
will not work with PAN-OS 8.0 (end-of-life) and earlier releases
(end-of-life). GlobalProtect app 5.2.6 and later release HIP check
functionality will work as expected with PAN-OS 8.1 and later releases.
Because security software must continually evolve to ensure end
user protection, your GlobalProtect gateway licenses also enable
you to receive dynamic updates for the GlobalProtect data file with
the latest patch and software versions available for each package.
The GlobalProtect data file contains the list of anti-malware products with corresponding
lists of historical versions and definition update versions for each product.
GlobalProtect data file is not used to populate the details of products such as the list
of operating systems and anti-malware software while configuring HIP Objects on the firewall. These details are
obtained through regular app or threat content updates.
For example, the GlobalProtect data file is used to:
- Match the HIP object for the specified definition version of the specific product using the Within option. For example Within = 4, which would imply the latest version and three versions below would be acceptable.
- Match the latest product version using the Within option. For example,Within =1 (one is grayed out for version matching as the only available option).
To be able to perform comparisons as listed above, the firewall should have an up to date
GlobalProtect data file.
The GlobalProtect Data file is used for specific HIP Objects when you use the
Within condition while configuring HIP objects on the
firewall.
By default, the app collects data about the following categories
of information to help identify the security state of the host:
Category | Data Collected |
---|---|
General | Information about the host itself, including
the hostname, logon domain, operating system, app version, and,
for Windows systems, the domain to which the machine belongs. For
Windows endpoints’ domain, the GlobalProtect app collects the domain
defined for ComputerNameDnsDomain,
which is the DNS domain assigned to the local computer or the cluster associated
with the local computer. This data is displayed for the Windows
endpoints’ Domain in the HIP Match log details (MonitorLogsHIP Match). |
Mobile Device | Information about the mobile
device, including the device name, logon domain, operating system,
app version, and information about the network to which the device
is connected. In addition, GlobalProtect collects information on
whether the device is rooted or jailbroken. To collect mobile device attributes and utilize them in HIP enforcement policies, GlobalProtect
requires an MDM server. GlobalProtect currently supports HIP
integration with the Workspace ONE MDM server. For devices managed by Workspace ONE, host information collected by the GlobalProtect app can be
supplemented with additional information collected from the
Workspace ONE service. Refer to Configure Windows User-ID Agent to Collect Host
Information for a list of attributes that can be
retrieved from Workspace ONE. |
Patch Management | Information about any patch management software
that is enabled and/or installed on the host and whether there are
any missing patches. If you want to configure
the Severity value for missing patches as
a match condition in your HIP object (ObjectsGlobalProtectHIP Objects<hip-object>Patch
ManagementCriteria),
use the following mappings between the GlobalProtect severity values
and the OPSWAT severity ratings to understand what each value means:
|
Firewall | Information about any firewalls that are
installed and/or enabled on the host. |
Anti-Malware | Information about any antivirus or anti-spyware
software that is enabled and/or installed on the endpoint, whether
or not real-time protection is enabled, the virus definition version,
last scan time, and the vendor and product name. GlobalProtect
uses OPSWAT technology to detect and assess third-party security applications on
the endpoint. By integrating with the OPSWAT OESIS framework, GlobalProtect enables
you to assess the compliance state of the endpoint. For example,
you can define HIP objects and HIP profiles that verify the presence
of a specific version of antivirus software from a specific vendor
on the endpoint and also ensure that it has the latest virus definition
files. OPSWAT is unable to detect the following Anti-Malware information
for the Gatekeeper security feature on macOS endpoints:
|
Disk Backup | Information about whether disk backup software
is installed, the last backup time, and the vendor and product name
of the software. |
Disk Encryption | Information about whether disk encryption
software is installed, which drives and/or paths are configured
for encryption, and the vendor and product name of the software. (Requires
GlobalProtect app 5.2) If you want to view the encryption status
of all drives and/or paths on the endpoint, you must manually enter All as the Encrypted
Locations when creating the HIP object for the Disk
Encryption category. To verify if all drives or paths
are encrypted, you must set the Encrypted Locations to All and
set the State to Is encrypted from
the drop-down. |
Data Loss Prevention | Information about whether data
loss prevention (DLP) software is installed and/or enabled to prevent
sensitive corporate information from leaving the corporate network
or from being stored on a potentially insecure device. This information
is only collected from Windows endpoints. |
Certificate | Information about the machine
certificate installed on the endpoint. |
Custom Checks | Information about whether specific registry
keys (Windows only), property lists (plists) (macOS only), process
lists (Linux only), OR operating system processes and user-space
application processes are present. |
You can exclude certain categories of information from being
collected on certain hosts to save CPU cycles and improve response
time. To do this, create an agent configuration on the portal, and
then exclude the categories you are not interested in (NetworkGlobalProtectPortals<portal-config>Agent<agent-config>Data Collection). For example,
if you do not plan on creating policies based on whether or not
endpoints run disk backup software, you can exclude that category
to prevent the app from collecting any information about disk backup.
You can also exclude information from being collected on personal
endpoints in order to provide user privacy. For example, you can
exclude the list of apps installed on endpoints that are not managed
by a third-party mobile device manager.