End-of-Life (EoL)

What Data Does the GlobalProtect Agent Collect?

By default, the GlobalProtect agent collects vendor-specific data about the end user security packages that are running on the computer (as compiled by the OPSWAT global partnership program) and reports this data to the GlobalProtect gateway for use in policy enforcement.
Because security software must continually evolve to ensure end user protection, your GlobalProtect gateway licenses also enable you to get dynamic updates for the GlobalProtect data file with the latest patch and software versions available for each package.
While the agent collects a comprehensive amount of data about the host it is running on, you may have additional software that you require your end-users to run in order to connect to your network or to access certain resources. In this case, you can define custom checks that instruct the agent to collect specific registry information (on Windows clients), preference list (plist) information (on Mac OS clients), or to collect information about whether or not specific services are running on the host.
The agent collects data about the following categories of information by default, to help to identify the security state of the host:
Data Collection Categories
Data Collected
Information about the host itself, including the hostname, logon domain, operating system, client version, and, for Windows systems, the domain to which the machine belongs.
For Windows clients’ domain, the GlobalProtect agent collects the domain defined for
, which is the
DNS domain assigned to the local computer or the cluster associated with the local computer. This data is what is displayed for the Windows clients’
in the HIP Match log details (
HIP Match
Patch Management
Information about any patch management software that is enabled and/or installed on the host and whether there are any missing patches.
If you want to configure the
value for missing patches as a match condition in your HIP object (
HIP Objects
Patch Management
), use the following mappings between the GlobalProtect severity values and the OPSWAT severity ratings to understand what each value means:
  • 0
  • 1
  • 2
  • 3
Information about any client firewalls that are installed and/or enabled on the host.
Information about any antivirus software that is enabled and/or installed on the host, whether or not real-time protection is enabled, the virus definition version, last scan time, the vendor and product name.
GlobalProtect uses OPSWAT technology to detect and assess third-party security applications on the endpoint. By integrating with the OPSWAT OESIS framework, GlobalProtect enables you to assess the compliance state of the endpoint. For example, you can define HIP objects and HIP profiles that verify the presence of a specific version of Antivirus software from a specific vendor on the endpoint and also ensure that it has the latest virus definition files.
Information about any anti-spyware software that is enabled and/or installed on the host, whether or not real-time protection is enabled, the virus definition version, last scan time, the vendor and product name.
Disk Backup
Information about whether disk backup software is installed, the last backup time, and the vendor and product name of the software.
Disk Encryption
Information about whether disk encryption software is installed, which drives and/or paths are configured for encryption, and the vendor and product name of the software.
Data Loss Prevention
Information about whether data loss prevention (DLP) software is installed and/or enabled for the prevention sensitive corporate information from leaving the corporate network or from being stored on a potentially insecure device. This information is only collected from Windows clients.
Mobile Devices
Identifying information about the mobile device, such as the model number, phone number, serial number and International Mobile Equipment Identity (IMEI) number. In addition, the agent collects information about specific settings on the device, such as whether or not a passcode is set, whether the device is jailbroken, a list of apps installed on the device that are managed by a third-party mobile device manager, if the device contains apps that are known to have malware (Android devices only), and, optionally, the GPS location of the device and a list of apps that are not managed by the third-party mobile device manager. Note that for iOS devices, some information is collected by the GlobalProtect app and some information is reported directly by the operating system.
To collect mobile device attributes and utilize them in HIP enforcement policies, GlobalProtect requires an MDM server. GlobalProtect currently supports HIP integration with the AirWatch MDM server.
You can exclude certain categories of information from being collected on certain hosts (to save CPU cycles and improve client response time). To do this, you create a client configuration on the portal excluding the categories you are not interested in. For example, if you do not plan to create policy based on whether or not client systems run disk backup software, you can exclude that category and the agent will not collect any information about disk backup.
You can also choose to exclude collecting information from personal devices in order to allow for user privacy. This can include excluding device location and a list of apps installed on the device that are not managed by a third-party mobile device manager.

Recommended For You