End-of-Life (EoL)
Collect Application and Process Data From Clients
The Windows Registry and Mac Plist can be
used to configure and store settings and options for Windows and
Mac operating systems, respectively. You can create a custom check
that will allow you to determine whether an application is installed
(has a corresponding registry or plist key) or is running (has a
corresponding running process) on a Windows or Mac client. Enabling
custom checks instructs the GlobalProtect agent to collect specific
registry information (Registry Keys and Registry Key Values from
Windows clients), preference list (plist) information (plist and
plist keys from Mac OS clients). The data that you define to be
collected in a custom check is included in the raw host information
data collected by the GlobalProtect agent and then submitted to
the GlobalProtect gateway when the agent connects.
To monitor
the data collected with custom checks you can create a HIP object.
You can then add the HIP object to a HIP profile to use the collected
data to match to device traffic and enforce security rules. The
gateway can use the HIP object (which matches to the data defined
in the custom check) to filter the raw host information submitted
by the agent. When the gateway matches the client data to a HIP
object, a HIP Match log entry is generated for the data. A HIP profile
allows the gateway to also match the collected data to a security
rule. If the HIP profile is used as criteria for a security policy
rule, the gateway will enforce that security rule on the matching traffic.
Use
the following task to enable custom checks to collect data from
Windows and Mac clients. This task includes the optional steps to
create a HIP object and HIP profile for a custom check, if you would
like to use client data as matching criteria for a security policy
to monitor, identify, and act on traffic.
For more information
on defining agent settings directly from the Windows registry or
the global Mac plist, see Deploy
Agent Settings Transparently.
- Enable the GlobalProtect agent to collect Windows Registry information from Windows clients or Plist information from Mac clients. The type of information collected can include whether or not an application is installed on the client, or specific attributes or properties of that application.
- Selectand then select the portal configuration you want to modify orNetworkGlobalProtectPortalsAdda new one.
- Select theAgenttab and then select the Agent configuration you want to modify orAdda new one.
- SelectData Collection, and then verify thatCollect HIP Datais enabled.
- Select.Custom ChecksWindows
- Add the Registry Key that you want to collect information about. If you want to restrict data collection to a value contained within that Registry Key, add the correspondingRegistry Value.
Collect data from a Mac client:- Selectand then select the portal configuration you want to modify orNetworkGlobalProtectPortalsAdda new one.
- Select theAgenttab and then select the Agent configuration you want to modify orAdda new one.
- SelectData Collection, and then verify thatCollect HIP Datais enabled.
- Select.Custom ChecksMac
- Add thePlistthat you want to collect information about and the corresponding PlistKeyto determine if the application is installed:For example,AddthePlistcom.apple.screensaverand theKeyaskForPasswordto collect information on whether a password is required to wake the Mac client after the screen saver begins:Confirm that thePlistandKeyare added to the Mac custom checks:
- (Optional) Check if a specific process is running on the client.
- Continue from 1 on theCustom Checkstab () and select theNetworkGlobalProtectPortals<portal-configAgent<agent-configData CollectionWindowstab orMactab.
- Addthe name of the process that you want to collect information about to theProcess List.
- Save the custom check.ClickOKandCommitthe changes.
- Verify that the GlobalProtect agent is collecting the data defined in the custom check from the client.For Windows clients:On the Windows client, double-click the GlobalProtect icon on the task bar and click theHost Statetab to view the information that the GlobalProtect agent is collecting from the Mac client. Under the custom-checks dropdown, verify that the data that you defined for collection in 7 is displayed:For Mac clients:On the Mac client, click the GlobalProtect icon on the Menu bar, clickAdvanced View, and clickHost Stateto view the information that the GlobalProtect agent is collecting for the Mac client. Under the custom-checks dropdown, verify that the data you defined for collection in 7 is displayed:
- (Optional) Create a HIP Object to match to a Registry Key (Windows) or Plist (Mac). This can allow you to filter the raw host information collected from the GlobalProtect agent in order to monitor the data for the custom check.With a HIP object defined for the custom check data, the gateway will match the raw data submitted from the agent to the HIP object and a HIP Match log entry is generated for the data ().MonitorHIP MatchFor Windows and Mac clients:
- SelectandObjectsGlobalProtectHIP ObjectsAddaHIP Object.
- Select and enableCustom Checks.
For Windows clients only:- To check Windows clients for a specific registry key, selectRegistry KeyandAddthe registry to match on. To only identify clients that do not have the specified registry key, selectKey does not exist or match the specified value data.
- To match on specific values within the Registry key, clickAddand then enter the registry value and value data. To identify clients that explicitly do not have the specified value or value data, select theNegatecheck box.
- ClickOKto save the HIP object. You canCommitto view the data in theHIP Matchlogs at the next device check-in or continue to 6.
For Mac clients only:- Select thePlisttab andAddand enter the name of thePlistfor which you want to check Mac clients. (If instead, you want to match Mac clients that do not have the specified Plist, continue by selectingPlist does not exist).
- (Optional) You can match traffic to a specific key-value pair within the Plist by entering theKeyand the correspondingValueto match. (Alternatively, if you want to identify clients that do not have a specific Key and Value, you can continue by selectingNegateafter adding populating theKeyandValuefields).
- ClickOKto save the HIP object. You canCommitto view the data in theHIP Matchlogs at the next device check-in or continue to 6.
- (Optional) Create a HIP profile to allow the HIP object you created in 5 to be evaluated against traffic.The HIP profile can be added to a security policy as an additional check for traffic matching that policy. When the traffic is matched to the HIP profile, the security policy rule will be enforced on the traffic.For more details on creating a HIP profiles, see Configure HIP-Based Policy Enforcement.
- Select.ObjectsGlobalProtectHIP Profile
- ClickAdd Match Criteriato open theHIP Objects/Profiles Builder.
- Select theHIP objectyou want to use as match criteria and then move it over to theMatchbox on the HIP Profile dialog.
- When you have finished adding the objects to the new HIP profile, clickOKandCommit.
- Add the HIP profile to a security policy so that the data collected with the custom check can be used to match to and act on traffic.Select, andPoliciesSecurityAddor modify a security policy. Go to theUsertab to add a HIP profile to the policy. For more details on security policies components and using security policies to match to and act on traffic, see Security Policy.
Recommended For You
Recommended Videos
Recommended videos not found.