Collect Application and Process Data From Clients

Enable the GlobalProtect agent to collect Windows Registry information from Windows clients or Plist information from Mac clients. The type of information collected can include whether or not an application is installed on the client, or specific attributes or properties of that application.
This step enables the agent to report data on the applications and client settings. (5 and 6 will show you how to monitor and use the reported data to identify or take action on certain device traffic).
Collect data from a Windows client:
Select

Network

GlobalProtect

Portals

and then select the portal configuration you want to modify or

Add

a new one.

Select the

Agent

tab and then select the Agent configuration you want to modify or

Add

a new one.

Select

Data Collection

, and then verify that

Collect HIP Data

is enabled.

Select

Custom Checks

Windows

.

Add the Registry Key that you want to collect information about. If you want to restrict data collection to a value contained within that Registry Key, add the corresponding

Registry Value

.


Collect data from a Mac client:
Select

Network

GlobalProtect

Portals

and then select the portal configuration you want to modify or

Add

a new one.

Select the

Agent

tab and then select the Agent configuration you want to modify or

Add

a new one.

Select

Data Collection

, and then verify that

Collect HIP Data

is enabled.

Select

Custom Checks

Mac

.

Add the

Plist

that you want to collect information about and the corresponding Plist

Key

to determine if the application is installed:



For example,

Add

the

Plist

com.apple.screensaver

and the

Key

askForPassword

to collect information on whether a password is required to wake the Mac client after the screen saver begins:



Confirm that the

Plist

and

Key

are added to the Mac custom checks:


(
Optional
) Check if a specific process is running on the client.
Continue from 1 on the
Custom Checks
tab (
Network
GlobalProtect
Portals
<portal-config
Agent
<agent-config
Data Collection
) and select the
Windows
tab or
Mac
tab.
Add
the name of the process that you want to collect information about to the
Process List
.
Save the custom check.
Click
OK
and
Commit
the changes.
Verify that the GlobalProtect agent is collecting the data defined in the custom check from the client.
For Windows clients:
On the Windows client, double-click the GlobalProtect icon on the task bar and click the
Host State
tab to view the information that the GlobalProtect agent is collecting from the Mac client. Under the custom-checks dropdown, verify that the data that you defined for collection in 7 is displayed:

For Mac clients:
On the Mac client, click the GlobalProtect icon on the Menu bar, click
Advanced View
, and click
Host State
to view the information that the GlobalProtect agent is collecting for the Mac client. Under the custom-checks dropdown, verify that the data you defined for collection in 7 is displayed:

(
Optional
) Create a HIP Object to match to a Registry Key (Windows) or Plist (Mac). This can allow you to filter the raw host information collected from the GlobalProtect agent in order to monitor the data for the custom check.
With a HIP object defined for the custom check data, the gateway will match the raw data submitted from the agent to the HIP object and a HIP Match log entry is generated for the data (
Monitor
HIP Match
).
For Windows and Mac clients:
Select
Objects
GlobalProtect
HIP Objects
and
Add
a
HIP Object
.
Select and enable
Custom Checks
.
For Windows clients only:
To check Windows clients for a specific registry key, select
Registry Key
and
Add
the registry to match on. To only identify clients that do not have the specified registry key, select
Key does not exist or match the specified value data
.
To match on specific values within the Registry key, click
Add
and then enter the registry value and value data. To identify clients that explicitly do not have the specified value or value data, select the
Negate
check box.

Click
OK
to save the HIP object. You can
Commit
to view the data in the
HIP Match
logs at the next device check-in or continue to 6.
For Mac clients only:
Select the
Plist
tab and
Add
and enter the name of the
Plist
for which you want to check Mac clients. (If instead, you want to match Mac clients that do not have the specified Plist, continue by selecting
Plist does not exist
).
(
Optional
) You can match traffic to a specific key-value pair within the Plist by entering the
Key
and the corresponding
Value
to match. (Alternatively, if you want to identify clients that do not have a specific Key and Value, you can continue by selecting
Negate
after adding populating the
Key
and
Value
fields).

Click
OK
to save the HIP object. You can
Commit
to view the data in the
HIP Match
logs at the next device check-in or continue to 6.
(
Optional
) Create a HIP profile to allow the HIP object you created in 5 to be evaluated against traffic.
The HIP profile can be added to a security policy as an additional check for traffic matching that policy. When the traffic is matched to the HIP profile, the security policy rule will be enforced on the traffic.
For more details on creating a HIP profiles, see Configure HIP-Based Policy Enforcement.
Select

Objects

GlobalProtect

HIP Profile

.

Click

Add Match Criteria

to open the

HIP Objects/Profiles Builder

.

Select the

HIP object

you want to use as match criteria and then move it over to the

Match

box on the HIP Profile dialog.

When you have finished adding the objects to the new HIP profile, click

OK

and

Commit

.


Add the HIP profile to a security policy so that the data collected with the custom check can be used to match to and act on traffic.
Select
Policies
Security
, and
Add
or modify a security policy. Go to the
User
tab to add a HIP profile to the policy. For more details on security policies components and using security policies to match to and act on traffic, see Security Policy.