End-of-Life (EoL)

Collect Application and Process Data From Clients

The Windows Registry and Mac Plist can be used to configure and store settings and options for Windows and Mac operating systems, respectively. You can create a custom check that will allow you to determine whether an application is installed (has a corresponding registry or plist key) or is running (has a corresponding running process) on a Windows or Mac client. Enabling custom checks instructs the GlobalProtect agent to collect specific registry information (Registry Keys and Registry Key Values from Windows clients), preference list (plist) information (plist and plist keys from Mac OS clients). The data that you define to be collected in a custom check is included in the raw host information data collected by the GlobalProtect agent and then submitted to the GlobalProtect gateway when the agent connects.
To monitor the data collected with custom checks you can create a HIP object. You can then add the HIP object to a HIP profile to use the collected data to match to device traffic and enforce security rules. The gateway can use the HIP object (which matches to the data defined in the custom check) to filter the raw host information submitted by the agent. When the gateway matches the client data to a HIP object, a HIP Match log entry is generated for the data. A HIP profile allows the gateway to also match the collected data to a security rule. If the HIP profile is used as criteria for a security policy rule, the gateway will enforce that security rule on the matching traffic.
Use the following task to enable custom checks to collect data from Windows and Mac clients. This task includes the optional steps to create a HIP object and HIP profile for a custom check, if you would like to use client data as matching criteria for a security policy to monitor, identify, and act on traffic.
For more information on defining agent settings directly from the Windows registry or the global Mac plist, see Deploy Agent Settings Transparently.
  1. Enable the GlobalProtect agent to collect Windows Registry information from Windows clients or Plist information from Mac clients. The type of information collected can include whether or not an application is installed on the client, or specific attributes or properties of that application.
    This step enables the agent to report data on the applications and client settings. (5 and 6 will show you how to monitor and use the reported data to identify or take action on certain device traffic).
    Collect data from a Windows client:
    1. Select
      Network
      GlobalProtect
      Portals
      and then select the portal configuration you want to modify or
      Add
      a new one.
    2. Select the
      Agent
      tab and then select the Agent configuration you want to modify or
      Add
      a new one.
    3. Select
      Data Collection
      , and then verify that
      Collect HIP Data
      is enabled.
    4. Select
      Custom Checks
      Windows
      .
    5. Add the Registry Key that you want to collect information about. If you want to restrict data collection to a value contained within that Registry Key, add the corresponding
      Registry Value
      .
      custom-check-registry-2.png
    Collect data from a Mac client:
    1. Select
      Network
      GlobalProtect
      Portals
      and then select the portal configuration you want to modify or
      Add
      a new one.
    2. Select the
      Agent
      tab and then select the Agent configuration you want to modify or
      Add
      a new one.
    3. Select
      Data Collection
      , and then verify that
      Collect HIP Data
      is enabled.
    4. Select
      Custom Checks
      Mac
      .
    5. Add the
      Plist
      that you want to collect information about and the corresponding Plist
      Key
      to determine if the application is installed:
      custom-check-plist-3.png
      For example,
      Add
      the
      Plist
      com.apple.screensaver
      and the
      Key
      askForPassword
      to collect information on whether a password is required to wake the Mac client after the screen saver begins:
      custom-check-plist-5.png
      Confirm that the
      Plist
      and
      Key
      are added to the Mac custom checks:
      custom-check-plist-6.png
  2. (
    Optional
    ) Check if a specific process is running on the client.
    1. Continue from 1 on the
      Custom Checks
      tab (
      Network
      GlobalProtect
      Portals
      <portal-config
      Agent
      <agent-config
      Data Collection
      ) and select the
      Windows
      tab or
      Mac
      tab.
    2. Add
      the name of the process that you want to collect information about to the
      Process List
      .
  3. Save the custom check.
    Click
    OK
    and
    Commit
    the changes.
  4. Verify that the GlobalProtect agent is collecting the data defined in the custom check from the client.
    For Windows clients:
    On the Windows client, double-click the GlobalProtect icon on the task bar and click the
    Host State
    tab to view the information that the GlobalProtect agent is collecting from the Mac client. Under the custom-checks dropdown, verify that the data that you defined for collection in 7 is displayed:
    custom-check-registry-3.png
    For Mac clients:
    On the Mac client, click the GlobalProtect icon on the Menu bar, click
    Advanced View
    , and click
    Host State
    to view the information that the GlobalProtect agent is collecting for the Mac client. Under the custom-checks dropdown, verify that the data you defined for collection in 7 is displayed:
    custom-check-plist-4.png
  5. (
    Optional
    ) Create a HIP Object to match to a Registry Key (Windows) or Plist (Mac). This can allow you to filter the raw host information collected from the GlobalProtect agent in order to monitor the data for the custom check.
    With a HIP object defined for the custom check data, the gateway will match the raw data submitted from the agent to the HIP object and a HIP Match log entry is generated for the data (
    Monitor
    HIP Match
    ).
    For Windows and Mac clients:
    1. Select
      Objects
      GlobalProtect
      HIP Objects
      and
      Add
      a
      HIP Object
      .
    2. Select and enable
      Custom Checks
      .
    For Windows clients only:
    1. To check Windows clients for a specific registry key, select
      Registry Key
      and
      Add
      the registry to match on. To only identify clients that do not have the specified registry key, select
      Key does not exist or match the specified value data
      .
    2. To match on specific values within the Registry key, click
      Add
      and then enter the registry value and value data. To identify clients that explicitly do not have the specified value or value data, select the
      Negate
      check box.
      custom-check-registry-1.png
    3. Click
      OK
      to save the HIP object. You can
      Commit
      to view the data in the
      HIP Match
      logs at the next device check-in or continue to 6.
    For Mac clients only:
    1. Select the
      Plist
      tab and
      Add
      and enter the name of the
      Plist
      for which you want to check Mac clients. (If instead, you want to match Mac clients that do not have the specified Plist, continue by selecting
      Plist does not exist
      ).
    2. (
      Optional
      ) You can match traffic to a specific key-value pair within the Plist by entering the
      Key
      and the corresponding
      Value
      to match. (Alternatively, if you want to identify clients that do not have a specific Key and Value, you can continue by selecting
      Negate
      after adding populating the
      Key
      and
      Value
      fields).
      custom-check-plist-1.png
    3. Click
      OK
      to save the HIP object. You can
      Commit
      to view the data in the
      HIP Match
      logs at the next device check-in or continue to 6.
  6. (
    Optional
    ) Create a HIP profile to allow the HIP object you created in 5 to be evaluated against traffic.
    The HIP profile can be added to a security policy as an additional check for traffic matching that policy. When the traffic is matched to the HIP profile, the security policy rule will be enforced on the traffic.
    For more details on creating a HIP profiles, see Configure HIP-Based Policy Enforcement.
    1. Select
      Objects
      GlobalProtect
      HIP Profile
      .
    2. Click
      Add Match Criteria
      to open the
      HIP Objects/Profiles Builder
      .
    3. Select the
      HIP object
      you want to use as match criteria and then move it over to the
      Match
      box on the HIP Profile dialog.
    4. When you have finished adding the objects to the new HIP profile, click
      OK
      and
      Commit
      .
      custom-check-plist-2.png
  7. Add the HIP profile to a security policy so that the data collected with the custom check can be used to match to and act on traffic.
    Select
    Policies
    Security
    , and
    Add
    or modify a security policy. Go to the
    User
    tab to add a HIP profile to the policy. For more details on security policies components and using security policies to match to and act on traffic, see Security Policy.

Recommended For You