Do I Get Visibility into the State of the End Clients?
Whenever an end host connects to GlobalProtect, the
agent presents its HIP data to the gateway. The gateway then uses
this data to determine which HIP objects and/or HIP profiles the
host matches. For each match, it generates a HIP Match log entry. Unlike
a traffic log—which only creates a log entry if there is a policy
match—the HIP Match log generates an entry whenever the raw data
submitted by an agent matches a HIP object and/or a HIP profile
you have defined. This makes the HIP Match log a good resource for
monitoring the state of the hosts on your network over time—before
attaching your HIP profiles to security policies—in order to help
you determine exactly what policies you believe need enforcement.
Because a HIP Match log is only generated when the host state
matches a HIP object you have created, for full visibility in to
host state you may need to create multiple HIP objects to log HIP
matches for hosts that are in compliance with a particular state
(for security policy enforcement purposes) as well as hosts that
are non-compliant (for visibility). For example, suppose you want
to prevent a host that does not have Antivirus software installed
from connecting to the network. In this case you would create a
HIP object that matches hosts that have a particular Antivirus software
installed. By including this object in a HIP profile and attaching
it to the security policy rule that allows access from your VPN
zone, you can ensure that only hosts that are protected with antivirus
software can connect.
However, in this case you would not be able to see in the HIP
Match log which particular hosts are not in compliance with this
requirement. If you wanted to also see a log for hosts that do not
have Antivirus software installed so that you can follow up with
the users, you can also create a HIP object that matches the condition
where the Antivirus software is not installed. Because this object
is only needed for logging purposes, you do not need to add it to
a HIP profile or attach it to a security policy rule.