One of the jobs of the GlobalProtect agent is to collect
information about the host it is running on. The agent then submits
this host information to the GlobalProtect gateway upon successfully
connecting. The gateway matches this raw host information submitted
by the agent against any HIP objects and HIP profiles you have defined.
If it finds a match, it generates an entry in the HIP Match log.
Additionally, if it finds a HIP profile match in a policy rule,
it enforces the corresponding security policy.
Using host information profiles for policy enforcement enables
granular security that ensures that the remote hosts accessing your
critical resources are adequately maintained and in adherence with
your security standards before they are allowed access to your network
resources. For example, before allowing access to your most sensitive
data systems, you might want to ensure that the hosts accessing
the data have encryption enabled on their hard drives. You can enforce
this policy by creating a security rule that only allows access
to the application if the client system has encryption enabled.
In addition, for clients that are not in compliance with this rule, you
could create a notification message that alerts users as to why
they have been denied access and links them to the file share where
they can access the installation program for the missing encryption
software (of course, to allow the user to access that file share
you would have to create a corresponding security rule allowing access
to the particular share for hosts with that specific HIP profile
match).