GlobalProtect
Configure HIP Process Remediation
Table of Contents
Configure HIP Process Remediation
Where Can I Use
This? | What Do I Need? |
|---|---|
|
|
Use the following procedure to configure the GlobalProtect app to run a remediation
script whenever a GlobalProtect endpoint fails one or more process checks to help
the endpoint recover from a HIP check failures. With this feature enabled, the
GlobalProtect app will provide a specified timeout period in which the endpoint can
run the remediation script if it fails a process check. After the timeout period
expires, the GlobalProtect app resubmits the HIP report.
- Set up custom process checks.The remediation scripts you write should check whether the processes you have set up in theCustom Checksare running and, if not, execute the script and start the process.
- Configure a HIP remediation timeout on the portal.
- Select .
- Select the portal configuration to which you are adding the agent configuration, and then select theAgenttab.
- Select the agent configuration that you want to modify, orAdda new one.
- Select theApptab.
- To enable the HIP remediation feature, set aHIP Remediation Process Timeout (sec).By default, this field is set to 0, indicating that the feature is disabled. Enter a value from 1-600 seconds to indicate the amount of time you want to allow for the remediation script to finish.
- ClickOKtwice to save your app and portal configurations.
- Committhe changes.
- Deploy the remediation script to your endpoints using mobile device management (MDM).As a best practice, use standard formats for the scripts you deploy (for example, deploy shell scripts on macOS endpoints and batch scripts on Windows endpoints). The name of the script is case sensitive and must use the predefined name and location as follows:
- WindowsLocation:\Program Files\Palo Alto Networks\GlobalProtect\Naming convention:hip-remediation-script.bat
- macOSLocation:/Applications/GlobalProtect.app/Contents/Resources/Naming convention:hip-remediation-script.sh
- (Optional) Customize how the script runs on the endpoint by setting a checksum and/or a custom error message and defining the context in which the script will run.
- macOS
- Calculate the sha 256 checksum:shasum -a 256 hip-remediation-script.sh.
- Edit the following values in the plist as needed:
- checksum—Specify the checksum you generated
- error-msg—Enter the custom error message you want to display to the end user when remediation fails
- success-msg—Enter the custom error message you want to display to the end user when remediation succeeds
- context—set toadminoruserto specify the context in which to run the remediation script. By default, the script runs in the user context.
- Replace the GlobalProtect plist by copying the modified.plist to overwrite the default plist:sudo cp modified.plist /Library/Preferences/com.paloaltonetworks.GlobalProtect.settings.plist.
- Stop/start PanGPS:launchctl stop com.paloaltonetworks.gp.pangpslaunchctl start com.paloaltonetworks.gp.pangps
- Windows
- Create the checksum for the remediation script:certutil -hashfile hip-remediation-script.bat HASH256.
- Deploy the registry setting using the Windows default registry editor.In the Windows Registry, go to:\HKEY_LOCAL_MACHINE > SOFTWARE> Palo Alto Networks > GlobalProtect > Settings > hip-remediation-scriptand set the following keys:In the Windows Registry, go to:\HKEY_LOCAL_MACHINE > SOFTWARE> Palo Alto Networks > GlobalProtect > Settings > hip-remediation-scriptand set the following keys:
- checksum—Specify the checksum you generated
- error-msg—Enter the custom error message you want to display to the end user when remediation fails
- success-msg—Enter the custom error message you want to display to the end user when remediation succeeds
- context—set toadminoruserto specify the context in which to run the remediation script. By default, the script runs in the user context.
- To restart GlobalProtect, in the Windows Services screen, find thePanGPSservice and clickRestart the service.
