Does the Gateway Use the Host Information to Enforce Policy?
While the agent gets the information about what information
to collect from the client configuration downloaded from the portal,
you define which host attributes you are interested in monitoring
and/or using for policy enforcement by creating HIP objects and
HIP profiles on the gateway(s):
—Provide the matching criteria to filter
out the host information you are interested in using to enforce
policy from the raw data reported by the agent. For example, while
the raw host data may include information about several antivirus
packages that are installed on the client you may only be interested
in one particular application that you require within your organization.
In this case, you would create a HIP object to match the specific
application you are interested in enforcing.
The best way
to determine what HIP objects you need is to determine how you will
use the host information you collect to enforce policy. Keep in
mind that the HIP objects themselves are merely building blocks
that allow you to create the HIP profiles that are used in your
security policies. Therefore, you may want to keep your objects
simple, matching on one thing, such as the presence of a particular
type of required software, membership in a specific domain, or the presence
of a specific client OS. By doing this, you will have the flexibility
to create a very granular (and very powerful) HIP-augmented policy.
—A collection of HIP objects that are
to be evaluated together, either for monitoring or for security
policy enforcement. When you create your HIP profiles, you can combine
the HIP objects you previously created (as well as other HIP profiles)
using Boolean logic such that when a traffic flow is evaluated against the
resulting HIP profile it will either match or not match. If there
is a match, the corresponding policy rule will be enforced; if there
is not a match, the flow will be evaluated against the next rule,
as with any other policy matching criteria.
Unlike a traffic log—which only creates a log entry if there
is a policy match—the HIP Match log generates an entry whenever
the raw data submitted by an agent matches a HIP object and/or a
HIP profile you have defined. This makes the HIP Match log a good
resource for monitoring the state of the hosts on your network over time—before
attaching your HIP profiles to security policies—in order to help
you determine exactly what policies you believe need enforcement.
See Configure HIP-Based Policy Enforcement for
details on how to create HIP objects and HIP profiles and use them
as policy match criteria.