End-of-Life (EoL)

Configure HIP-Based Policy Enforcement

To enable the use of host information in policy enforcement you must complete the following steps. For more information on the HIP feature, see About Host Information.
  1. Verify proper licensing for HIP checks.
    Gateway_license.png
    To use the HIP feature, you must have purchased and installed a GlobalProtect Gateway subscription license on each gateway that will perform HIP checks. To verify the status of your licenses on each portal and gateway, select
    Device
    Licenses
    .
    Contact your Palo Alto Networks Sales Engineer or Reseller if you do not have the required licenses. For more information on licensing, see About GlobalProtect Licenses.
  2. (Optional) Define any custom host information that you want the agent to collect. For example, if you have any required applications that are not included in the Vendor and/or Product lists for creating HIP objects, you could create a custom check that will allow you to determine whether that application is installed (has a corresponding registry or plist key) or is running (has a corresponding running process).
    2 and 3 assume that you have already created a Portal Configuration. If you have not yet configured your portal, see Configure the GlobalProtect Portal for instructions.
    custom_check_registry.png
    1. On the firewall that is hosting your GlobalProtect portal, select
      Network
      GlobalProtect
      Portals
      .
    2. Select your portal configuration to open the GlobalProtect Portal dialog.
    3. Select the
      Agent
      tab and then select the agent configuration to which you want to add a custom HIP check, or click
      Add
      to create a new agent configuration.
    4. Select the
      Data Collection
      tab.
    5. Enable the option to
      Collect HIP Data
      .
    6. Select
      Custom Checks
      and define the data you want to collect from hosts running this agent configuration as follows:
      • To collect information about specific registry keys
        : On the
        Windows
        tab,
        Add
        the name of a
        Registry Key
        for which to collect data in the Registry Key area. Optionally, to restrict data collection to a specific Registry Value,
        Add
        and then define the specific Registry Value or values. Click
        OK
        to save the settings.
      • To collect information about running processes
        : Select the appropriate tab (
        Windows
        or
        Mac
        ) and then
        Add
        a process to the Process List. Enter the name of the process that you want the agent to collect information about.
      • To collect information about specific property lists
        : On the
        Mac
        tab, click
        Add
        in the Plist section. Enter the
        Plist
        for which to collect data. Optionally, click
        Add
        to restrict the data collection to specific
        Key
        values. Click
        OK
        to save the settings.
    7. If this is a new client configuration, complete the rest of the configuration as desired. For instructions, see Define the GlobalProtect Agent Configurations.
    8. Click
      OK
      to save the client configuration.
    9. Commit
      the changes.
  3. (Optional) Exclude categories from collection.
    1. On the firewall that is hosting your GlobalProtect portal, select
      Network
      GlobalProtect
      Portals
      .
    2. Select your portal configuration to open the GlobalProtect Portal dialog.
    3. On the
      Agent
      tab, select the Agent configuration from which to exclude categories, or
      Add
      a new one.
    4. Select
      Data Collection
      , and then verify that
      Collect HIP Data
      is enabled.
    5. On the
      Exclude Categories
      tab, click
      Add
      . The Edit Exclude Category dialog displays.
    6. Select the
      Category
      you want to exclude from the drop-down list.
    7. (Optional) If you want to exclude specific vendors and/or products from collection within the selected category rather than excluding the entire category, click
      Add
      . You can then select the
      Vendor
      to exclude from the drop-down on the Edit Vendor dialog and, optionally, click
      Add
      to exclude specific products from that vendor. When you are done defining that vendor, click
      OK
      . You can add multiple vendors and products to the exclude list.
    8. Repeat Step f and Step g for each category you want to exclude.
    9. If this is a new client configuration, complete the rest of the configuration as desired. For more information on defining client configurations, see Define the GlobalProtect Agent Configurations.
    10. Click
      OK
      to save the client configuration.
    11. Commit
      the changes.
  4. Create the HIP objects to filter the raw host data collected by the agents.
    The best way to determine what HIP objects you need is to determine how you will use the host information you collect to enforce policy. Keep in mind that the HIP objects themselves are merely building blocks that allow you to create the HIP profiles that are used in your security policies. Therefore, you may want to keep your objects simple, matching on one thing, such as the presence of a particular type of required software, membership in a specific domain, or the presence of a specific client OS. By doing this, you will have the flexibility to create a very granular (and very powerful) HIP-augmented policy.
    For details on a specific HIP category or field, refer to the online help.
    1. On the gateway (or on Panorama if you plan to share the HIP objects among multiple gateways), select
      Objects
      GlobalProtect
      HIP Objects
      and click
      Add
      .
    2. On the
      General
      tab, enter a
      Name
      for the object.
    3. Select the tab that corresponds to the category of host information you are interested in matching against and select the check box to enable the object to match against the category. For example, to create an object that looks for information about Antivirus software, select the
      Antivirus
      tab and then select the
      Antivirus
      check box to enable the corresponding fields. Complete the fields to define the desired matching criteria. For example, the following screenshot shows how to create an object that will match if the Symantec Norton AntiVirus 2004 Professional application is installed, has Real Time Protection enabled, and has virus definitions that have been updated within the last 5 days.
      HIP_object_creation.png
      Repeat this step for each category you want to match against in this object. For more information, see Data Collection Categories.
    4. Click
      OK
      to save the HIP object.
    5. Repeat these steps to create each additional HIP object you require.
    6. Commit
      the changes.
  5. Create the HIP profiles that you plan to use in your policies.
    When you create your HIP profiles, you can combine the HIP objects you previously created (as well as other HIP profiles) using Boolean logic such that when a traffic flow is evaluated against the resulting HIP profile it will either match or not match. If there is a match, the corresponding policy rule will be enforced; if there is not a match, the flow will be evaluated against the next rule, as with any other policy matching criteria.
    1. On the gateway (or on Panorama if you plan to share the HIP profiles among multiple gateways), select
      Objects
      GlobalProtect
      HIP Profiles
      and click
      Add
      .
    2. Enter a descriptive
      Name
      for the profile and optionally a
      Description
      .
    3. Click
      Add Match Criteria
      to open the HIP Objects/Profiles Builder.
    4. Select the first HIP object or profile you want to use as match criteria and then click add add_icon.png to move it over to the
      Match
      text box on the HIP Profile dialog. Keep in mind that if you want the HIP profile to evaluate the object as a match only when the criteria in the object is not true for a flow, select the
      NOT
      check box before adding the object.
      HIP_builder_1.png
    5. Continue adding match criteria as appropriate for the profile you are building, making sure to select the appropriate Boolean operator radio button (
      AND
      or
      OR
      ) between each addition (and, again, using the
      NOT
      check box when appropriate).
    6. If you are creating a complex Boolean expression, you must manually add the parenthesis in the proper places in the
      Match
      text box to ensure that the HIP profile is evaluated using the logic you intend. For example, the following HIP profile will match traffic from a host that has either FileVault disk encryption (for Mac OS systems) or TrueCrypt disk encryption (for Windows systems) and also belongs to the required Domain, and has a Symantec antivirus client installed:
      HIP_builder_2.png
    7. When you are done adding match criteria, click
      OK
      to save the profile.
    8. Repeat these steps to create each additional HIP profile you require.
    9. Commit
      the changes.
  6. Verify that the HIP objects and HIP profiles you created are matching your GlobalProtect client traffic as expected.
    Consider monitoring HIP objects and profiles as a means to monitor the security state and activity of your host endpoints. By monitoring the host information over time you will be better able to understand where your security and compliance issues are and you can use this information to guide you in creating useful policy. For more details, see How Do I Get Visibility into the State of the End Clients?
    On the gateway(s) that your GlobalProtect users are connecting to, select
    Monitor
    Logs
    HIP Match
    . This log shows all of the matches the gateway identified when evaluating the raw HIP data reported by the agents against the defined HIP objects and HIP profiles. Unlike other logs, a HIP match does not require a security policy match in order to be logged.
    HIP_report.png
  7. Enable User-ID on the source zones that contain the GlobalProtect users that will be sending requests that require HIP-based access controls. You must enable User-ID even if you don’t plan on using the user identification feature or the firewall will not generate any HIP Match logs entries.
    1. Select
      Network
      Zones
      .
    2. Click on the
      Name
      of the zone in which you want to enable User-ID to open the Zone dialog.
    3. Enable User ID by selecting the
      Enabled
      check box and then click
      OK
      .
      User-ID_HIP.png
  8. Create the HIP-enabled security rules on your gateway(s).
    As a best practice, you should create your security rules and test that they match the expected flows based on the source and destination criteria as expected before adding your HIP profiles. By doing this you will also be better able to determine the proper placement of the HIP-enabled rules within the policy.
    1. Select
      Policies
      Security
      and select the rule to which you want to add a HIP profile.
    2. On the
      Source
      tab, make sure the
      Source Zone
      is a zone for which you enabled User-ID in 7.
    3. On the
      User
      tab, click
      Add
      in the
      HIP Profiles
      section and select the HIP profile(s) you want to add to the rule (you can add up to 63 HIP profiles to a rule).
    4. Click
      OK
      to save the rule.
    5. Commit
      the changes.
      security_policy_with_HIP.png
  9. Define the notification messages end users will see when a security rule with a HIP profile is enforced.
    The decision as to when to display a message (that is, whether to display it when the user’s configuration matches a HIP profile in the policy or when it doesn’t match it), depends largely on your policy and what a HIP match (or non-match) means for the user. That is, does a match mean they are granted full access to your network resources? Or does it mean they have limited access due to a non-compliance issue?
    For example, suppose you create a HIP profile that matches if the required corporate antivirus and anti-spyware software packages are not installed. In this case, you might want to create a HIP notification message for users who match the HIP profile telling them that they need to install the software. Alternatively, if your HIP profile matched if those same applications are installed, you might want to create the message for users who do not match the profile.
    1. On the firewall that is hosting your GlobalProtect gateway(s), select
      Network
      GlobalProtect
      Gateways
      .
    2. Select a previously-defined gateway configuration to open the GlobalProtect Gateway dialog.
    3. Select
      Client Configuration
      HIP Notification
      and then click
      Add
      .
    4. Select the
      HIP Profile
      this message applies to from the drop-down.
    5. Select
      Match Message
      or
      Not Match Message
      , depending on whether you want to display the message when the corresponding HIP profile is matched in policy or when it is not matched. In some cases you might want to create messages for both a match and a non-match, depending on what objects you are matching on and what your objectives are for the policy. For the Match Message, you can also enable the option to
      Include matched application list in message
      to indicate what applications triggered the HIP match.
    6. Select the
      Enable
      check box and select whether you want to display the message as a
      Pop Up Message
      or as a
      System Tray Balloon
      .
    7. Enter the text of your message in the Template text box and then click
      OK
      . The text box provides both a WYSIWYG view of the text and an HTML source view, which you can toggle between using the Source Edit source_edit_icon.png icon. The toolbar also provides many options for formatting your text and for creating hyperlinks hyperlink_icon.png to external documents, for example to link users directly to the download URL for a required software program.
      HIP_notification_message.png
    8. Repeat this procedure for each message you want to define.
    9. Commit
      the changes.
  10. Verify that your HIP profiles are working as expected.
    You can monitor what traffic is hitting your HIP-enabled policies using the Traffic log as follows:
    1. From the gateway, select
      Monitor
      Logs
      Traffic
      .
    2. Filter the log to display only traffic that matches the rule that has the HIP profile you are interested in monitoring attached. For example, to search for traffic that matches a security rule named “iOS Apps” you would enter
      ( rule eq 'iOS Apps' )
      in the filter text box as follows:
      traffic_log_hip.png

Recommended For You