Collect Application and Process Data From Clients

The Windows Registry and Mac Plist can be used to configure and store settings and options for Windows and Mac operating systems, respectively. You can create a custom check that will allow you to determine whether an application is installed (has a corresponding registry or plist key) or is running (has a corresponding running process) on a Windows or Mac client. Enabling custom checks instructs the GlobalProtect agent to collect specific registry information (Registry Keys and Registry Key Values from Windows clients), preference list (plist) information (plist and plist keys from Mac OS clients). The data that you define to be collected in a custom check is included in the raw host information data collected by the GlobalProtect agent and then submitted to the GlobalProtect gateway when the agent connects.
To monitor the data collected with custom checks you can create a HIP object. You can then add the HIP object to a HIP profile to use the collected data to match to device traffic and enforce security rules. The gateway can use the HIP object (which matches to the data defined in the custom check) to filter the raw host information submitted by the agent. When the gateway matches the client data to a HIP object, a HIP Match log entry is generated for the data. A HIP profile allows the gateway to also match the collected data to a security rule. If the HIP profile is used as criteria for a security policy rule, the gateway will enforce that security rule on the matching traffic.
Use the following task to enable custom checks to collect data from Windows and Mac clients. This task includes the optional steps to create a HIP object and HIP profile for a custom check, if you would like to use client data as matching criteria for a security policy to monitor, identify, and act on traffic.
For more information on defining agent settings directly from the Windows registry or the global Mac plist, see Deploy Agent Settings Transparently.
  1. Enable the GlobalProtect agent to collect Windows Registry information from Windows clients or Plist information from Mac clients. The type of information collected can include whether or not an application is installed on the client, or specific attributes or properties of that application.
    This step enables the agent to report data on the applications and client settings. (5 and 6 will show you how to monitor and use the reported data to identify or take action on certain device traffic).
    Collect data from a Windows client:
    1. Select NetworkGlobalProtectPortals and then select the portal configuration you want to modify or Add a new one.
    2. Select the Agent tab and then select the Agent configuration you want to modify or Add a new one.
    3. Select Data Collection, and then verify that Collect HIP Data is enabled.
    4. Select Custom ChecksWindows.
    5. Add the Registry Key that you want to collect information about. If you want to restrict data collection to a value contained within that Registry Key, add the corresponding Registry Value.
      custom-check-registry-2.png
    Collect data from a Mac client:
    1. Select NetworkGlobalProtectPortals and then select the portal configuration you want to modify or Add a new one.
    2. Select the Agent tab and then select the Agent configuration you want to modify or Add a new one.
    3. Select Data Collection, and then verify that Collect HIP Data is enabled.
    4. Select Custom ChecksMac.
    5. Add the Plist that you want to collect information about and the corresponding Plist Key to determine if the application is installed:
      custom-check-plist-3.png
      For example, Add the Plistcom.apple.screensaver and the KeyaskForPassword to collect information on whether a password is required to wake the Mac client after the screen saver begins:
      custom-check-plist-5.png
      Confirm that the Plist and Key are added to the Mac custom checks:
      custom-check-plist-6.png
  2. (Optional) Check if a specific process is running on the client.
    1. Continue from 1 on the Custom Checks tab (Network > GlobalProtect > Portals > <portal-config> > Agent > <agent-config> > Data Collection) and select the Windows tab or Mac tab.
    2. Add the name of the process that you want to collect information about to the Process List.
  3. Save the custom check.
    Click OK and Commit the changes.
  4. Verify that the GlobalProtect agent is collecting the data defined in the custom check from the client.
    For Windows clients:
    On the Windows client, double-click the GlobalProtect icon on the task bar and click the Host State tab to view the information that the GlobalProtect agent is collecting from the Mac client. Under the custom-checks drop down, verify that the data that you defined for collection in 7 is displayed:
    custom-check-registry-3.png
    For Mac clients:
    On the Mac client, click the GlobalProtect icon on the Menu bar, click Advanced View, and click Host State to view the information that the GlobalProtect agent is collecting for the Mac client. Under the custom-checks drop down, verify that the data you defined for collection in 7 is displayed:
    custom-check-plist-4.png
  5. (Optional) Create a HIP Object to match to a Registry Key (Windows) or Plist (Mac). This can allow you to filter the raw host information collected from the GlobalProtect agent in order to monitor the data for the custom check.
    With a HIP object defined for the custom check data, the gateway will match the raw data submitted from the agent to the HIP object and a HIP Match log entry is generated for the data (MonitorHIP Match).
    For Windows and Mac clients:
    1. Select Objects > GlobalProtect > HIP Objects and Add a HIP Object.
    2. Select and enable Custom Checks.
    For Windows clients only:
    1. To check Windows clients for a specific registry key, select Registry Key and Add the registry to match on. To only identify clients that do not have the specified registry key, select Key does not exist or match the specified value data.
    2. To match on specific values within the Registry key, click Add and then enter the registry value and value data. To identify clients that explicitly do not have the specified value or value data, select the Negate check box.
      custom-check-registry-1.png
    3. Click OK to save the HIP object. You can Commit to view the data in the HIP Match logs at the next device check-in or continue to 6.
    For Mac clients only:
    1. Select the Plist tab and Add and enter the name of the Plist for which you want to check Mac clients. (If instead, you want to match Mac clients that do not have the specified Plist, continue by selecting Plist does not exist).
    2. (Optional) You can match traffic to a specific key-value pair within the Plist by entering the Key and the corresponding Value to match. (Alternatively, if you want to identify clients that do not have a specific Key and Value, you can continue by selecting Negate after adding populating the Key and Value fields).
      custom-check-plist-1.png
    3. Click OK to save the HIP object. You can Commit to view the data in the HIP Match logs at the next device check-in or continue to 6.
  6. (Optional) Create a HIP profile to allow the HIP object you created in 5 to be evaluated against traffic.
    The HIP profile can be added to a security policy as an additional check for traffic matching that policy. When the traffic is matched to the HIP profile, the security policy rule will be enforced on the traffic.
    For more details on creating a HIP profiles, see Configure HIP-Based Policy Enforcement.
    1. Select ObjectsGlobalProtectHIP Profile.
    2. Click Add Match Criteria to open the HIP Objects/Profiles Builder.
    3. Select the HIP object you want to use as match criteria and then move it over to the Match box on the HIP Profile dialog.
    4. When you have finished adding the objects to the new HIP profile, click OK and Commit.
      custom-check-plist-2.png
  7. Add the HIP profile to a security policy so that the data collected with the custom check can be used to match to and act on traffic.
    Select PoliciesSecurity, and Add or modify a security policy. Go to the User tab to add a HIP profile to the policy. For more details on security policies components and using security policies to match to and act on traffic, see Security Policy.

Related Documentation