End-of-Life (EoL)

How Do I Get Visibility into the State of the End Clients?

Whenever an end host connects to GlobalProtect, the agent presents its HIP data to the gateway. The gateway then uses this data to determine which HIP objects and/or HIP profiles the host matches. For each match, it generates a HIP Match log entry. Unlike a traffic log—which only creates a log entry if there is a policy match—the HIP Match log generates an entry whenever the raw data submitted by an agent matches a HIP object and/or a HIP profile you have defined. This makes the HIP Match log a good resource for monitoring the state of the hosts on your network over time—before attaching your HIP profiles to security policies—in order to help you determine exactly what policies you believe need enforcement.
Because a HIP Match log is only generated when the host state matches a HIP object you have created, for full visibility in to host state you may need to create multiple HIP objects to log HIP matches for hosts that are in compliance with a particular state (for security policy enforcement purposes) as well as hosts that are non-compliant (for visibility). For example, suppose you want to prevent a host that does not have Antivirus software installed from connecting to the network. In this case you would create a HIP object that matches hosts that have a particular Antivirus software installed. By including this object in a HIP profile and attaching it to the security policy rule that allows access from your VPN zone, you can ensure that only hosts that are protected with antivirus software can connect.
However, in this case you would not be able to see in the HIP Match log which particular hosts are not in compliance with this requirement. If you wanted to also see a log for hosts that do not have Antivirus software installed so that you can follow up with the users, you can also create a HIP object that matches the condition where the Antivirus software is not installed. Because this object is only needed for logging purposes, you do not need to add it to a HIP profile or attach it to a security policy rule.

Recommended For You