End-of-Life (EoL)
What Data Does the GlobalProtect App Collect?
By default, the GlobalProtect app collects vendor-specific
data about the end user security packages that are running on the
endpoint (as compiled by the OPSWAT global partnership program)
and reports this data to the GlobalProtect gateway for policy enforcement.
See the GlobalProtect 5.1 OPSWAT Support table
or GlobalProtect 5.2 OPSWAT Support table
for details about the third-party vendor products that GlobalProtect
can detect using the specified OPSWAT SDK.
Because security software must continually evolve to ensure end
user protection, your GlobalProtect gateway licenses also enable
you to receive dynamic updates for the GlobalProtect data file with
the latest patch and software versions available for each package.
While the GlobalProtect app collects a comprehensive amount of
data about the host it is running on, you may require your end users
to run additional software in order to connect to the network or
access certain resources. In this case, you can define custom checks
that instruct the app to collect specific registry information (on Windows
endpoints), preference list (plist) information (on macOS endpoints),
or information about whether or not specific services are running
on the host.
By default, the app collects data about the following categories
of information to help identify the security state of the host:
Category | Data Collected |
---|---|
General | Information about the host itself, including
the hostname, logon domain, operating system, app version, and,
for Windows systems, the domain to which the machine belongs. For
Windows endpoints’ domain, the GlobalProtect app collects the domain
defined for ComputerNameDnsDomain ,
which is the DNS domain assigned to the local computer or the cluster associated
with the local computer. This data is displayed for the Windows
endpoints’ Domain in the HIP Match log details (Monitor Logs HIP Match |
Mobile Device | Information about the mobile
device, including the device name, logon domain, operating system,
app version, and information about the network to which the device
is connected. In addition, GlobalProtect collects information on
whether the device is rooted or jailbroken. To collect
mobile device attributes and utilize them in HIP enforcement policies,
GlobalProtect requires an MDM server. GlobalProtect currently supports
HIP integration with the AirWatch MDM server. For devices
managed by AirWatch, host information collected by the GlobalProtect
app can be supplemented with additional information collected from
the AirWatch service. Refer to Configure
Windows User-ID Agent to Collect Host Information for a list
of attributes that can be retrieved from AirWatch. |
Patch Management | Information about any patch management software
that is enabled and/or installed on the host and whether there are
any missing patches. If you want to configure
the Severity value for missing patches as
a match condition in your HIP object (Objects GlobalProtect HIP Objects <hip-object> Patch
Management Criteria
|
Firewall | Information about any firewalls that are
installed and/or enabled on the host. |
Anti-Malware | Information about any antivirus or anti-spyware
software that is enabled and/or installed on the endpoint, whether
or not real-time protection is enabled, the virus definition version,
last scan time, and the vendor and product name. GlobalProtect
uses OPSWAT technology to detect and assess third-party security applications on
the endpoint. By integrating with the OPSWAT OESIS framework, GlobalProtect enables
you to assess the compliance state of the endpoint. For example,
you can define HIP objects and HIP profiles that verify the presence
of a specific version of antivirus software from a specific vendor
on the endpoint and also ensure that it has the latest virus definition
files. OPSWAT is unable to detect the following Anti-Malware information
for the Gatekeeper security feature on macOS endpoints:
|
Disk Backup | Information about whether disk backup software
is installed, the last backup time, and the vendor and product name
of the software. |
Disk Encryption | Information about whether disk encryption
software is installed, which drives and/or paths are configured
for encryption, and the vendor and product name of the software. |
Data Loss Prevention | Information about whether data loss prevention
(DLP) software is installed and/or enabled to prevent sensitive
corporate information from leaving the corporate network or from
being stored on a potentially insecure device. This information
is only collected from Windows endpoints. |
You can exclude certain categories of information from being
collected on certain hosts to save CPU cycles and improve response
time. To do this, create an agent configuration on the portal, and
then exclude the categories you are not interested in (). For example,
if you do not plan on creating policies based on whether or not
endpoints run disk backup software, you can exclude that category
to prevent the app from collecting any information about disk backup.
Network
GlobalProtect
Portals
<portal-config>
Agent
<agent-config>
Data Collection
You can also exclude information from being collected on personal
endpoints in order to provide user privacy. For example, you can
exclude the list of apps installed on endpoints that are not managed
by a third-party mobile device manager.
Recommended For You
Recommended Videos
Recommended videos not found.