Collect Application and Process Data From Endpoints

The Windows Registry and macOS plist can be used to configure and store settings for Windows and Mac operating systems, respectively. You can create a custom check that allows you to determine whether an application is installed (has a corresponding registry or plist key) or is running (has a corresponding running process) on a Windows or macOS endpoint. Enabling custom checks instructs the GlobalProtect app to collect specific registry information (Registry Keys and Registry Key Values from Windows endpoints) or preference list (plist) information (plist and plist keys from macOS endpoints). The data that you define to be collected in a custom check is included in the raw host information data collected by the GlobalProtect app and then submitted to the GlobalProtect gateway when the app connects.
To monitor the data collected with custom checks, you can create a HIP object. You can then add the HIP object to a HIP profile to use the collected data to match to endpoint traffic and enforce security rules. The gateway uses the HIP object (which matches to the data defined in the custom check) to filter the raw host information submitted by the app. When the gateway matches the endpoint data to a HIP object, a HIP Match log entry is generated for the data. The HIP profile also allows the gateway to match the collected data to a security rule. If the HIP profile is used as criteria for a security policy rule, the gateway enforces that security rule on the matching traffic.
Use the following steps to enable custom checks to collect data from Windows and macOS endpoints. This workflow also includes optional steps to create a HIP object and HIP profile for a custom check, which allows you to use endpoint data as matching criteria for security policies to monitor, identify, and act on traffic.
For more information on defining app settings directly from the Windows Registry or the global macOS plist, see Deploy App Settings Transparently.
  1. Enable the GlobalProtect app to collect Windows Registry information from Windows endpoints or plist information from macOS endpoints. The type of information collected can include whether or not an application is installed on the endpoint, or specific attributes or properties of that application.
    Collect data from a Windows endpoint:
    1. Select
      Network
      GlobalProtect
      Portals
      , and then select an existing portal configuration or
      Add
      a new one.
    2. On the
      Agent
      tab, select the agent configuration that you want to modify or
      Add
      a new one.
    3. On the
      Data Collection
      tab, verify that
      Collect HIP Data
      is enabled.
    4. Select
      Custom Checks
      Windows
      , and then
      Add
      the
      Registry Key
      that you want to collect information about. If you want to restrict data collection to a value contained within that Registry Key, add the corresponding
      Registry Value
      .
      custom-check-registry-2.png
    Collect data from a macOS endpoint:
    1. Select
      Network
      GlobalProtect
      Portals
      , and then select an existing portal configuration or
      Add
      a new one.
    2. On the
      Agent
      tab, select the agent configuration that you want to modify or
      Add
      a new one.
    3. On the
      Data Collection
      tab, verify that
      Collect HIP Data
      is enabled.
    4. Select
      Custom Checks
      Mac
      , and then
      Add
      the
      Plist
      that you want to collect information about and the corresponding plist
      Key
      to determine if the application is installed.
      custom-check-plist-3.png
      For example,
      Add
      the
      Plist
      com.apple.screensaver
      and the
      Key
      askForPassword
      to collect information on whether a password is required to wake the macOS endpoint after the screen saver begins:
      custom-check-plist-5.png
      Confirm that the
      Plist
      and
      Key
      are added to the Mac custom checks:
  2. (
    Optional
    ) Check if a specific process is running on the endpoint.
    1. Select
      Custom Checks
      Windows
      or
      Mac
      (
      Network
      GlobalProtect
      Portals
      <portal-config>
      Agent
      <agent-config>
      Data Collection
      ).
    2. Add
      the name of the process that you want to collect information about to the
      Process List
      .
  3. Save the custom check.
    Click
    OK
    and
    Commit
    the changes.
  4. Verify that the GlobalProtect app is collecting the data defined in the custom check from the endpoint.
    For Windows endpoints:
    1. Launch the GlobalProtect app for Windows endpoints by clicking the system tray icon. The GlobalProtect status panel opens.
    2. Click the settings (
      settings-icon.png
      ) icon to open the settings menu.
    3. Select
      Settings
      to open the
      GlobalProtect Settings
      panel.
    4. Select the
      Host Profile
      tab to view the information that the GlobalProtect app is collecting from the endpoint. Verify that the
      custom-checks
      drop-down displays the data that you defined for collection.
    custom-check-registry-3.png
    For macOS endpoints:
    1. Launch the GlobalProtect app for macOS endpoints by clicking the system tray icon. The GlobalProtect status panel opens.
    2. Click the settings (
      settings-icon.png
      ) icon to open the settings menu.
    3. Select
      Settings
      to open the
      GlobalProtect Settings
      panel.
    4. Select the
      Host Profile
      tab to view the information that the GlobalProtect app is collecting from the endpoint. Verify that the
      custom-checks
      drop-down displays the data you defined for collection.
  5. (
    Optional
    ) Create a HIP Object to match to a Registry Key (Windows) or plist (macOS), which allows you to filter the raw host information collected from the GlobalProtect app to monitor the data for the custom check.
    With a HIP object defined for the custom check data, the gateway matches the raw data submitted from the app to the HIP object, and a HIP Match log entry is generated for the data (
    Monitor
    HIP Match
    ).
    For Windows and macOS endpoints:
    1. Select
      Objects
      GlobalProtect
      HIP Objects
      , and then
      Add
      a
      HIP Object
      .
    2. On the
      Custom Checks
      tab, select the check box to enable
      Custom Checks
      .
    For Windows endpoints only:
    1. To check Windows endpoints for a specific registry key, select
      Custom Checks
      Registry Key
      , and then
      Add
      the registry key to match. When prompted, enter the
      Registry Key
      and then configure one of the following options:
      • To match on the default value data for the registry key, enter the
        (Default) Value Data
        .
      • To match endpoints that do not have the specified registry key, select
        Key does not exist or match the specified value data
        .
      Do not configure both the
      (Default) Value Data
      and
      Key does not exist or match the specified value data
      options simultaneously.
    2. To match on specific values within the registry key, select
      Custom Checks
      Registry Key
      , and then
      Add
      the registry key to match. When prompted, enter the
      Registry Key
      . Click
      Add
      and then configure one of the following options:
      • To match on specific values within the registry key, enter the
        Registry Value
        and corresponding
        Value Data
        .
      • To match endpoints that do not have a specified registry value, enter the
        Registry Value
        and then select the
        Negate
        check box.
        To use this option, do not enter any
        Value Data
        for your
        Registry Key
        .
      If you add more than one registry value to your registry key, the GlobalProtect gateway checks endpoints for all specified registry values.
      custom-check-registry-1.png
    3. Click
      OK
      to save the HIP object. You can
      Commit
      the changes to view the data in the
      HIP Match
      logs at the next device check-in or continue to step 6.
    For macOS endpoints only:
    1. Select
      Custom Checks
      Plist
      (
      Objects
      GlobalProtect
      HIP Objects
      <hip-object>
      ), and then
      Add
      the plist for which you to want to check macOS endpoints. Enter the name of the
      Plist
      . If you want to match macOS endpoints that do not have the specified plist, enable the
      Plist does not exist
      option.
    2. (
      Optional
      ) To match traffic to a specific key-value pair within a plist, select a plist from
      Custom Checks
      Plist
      (
      Objects
      GlobalProtect
      HIP Objects
      <hip-object>
      ), and then
      Add
      a
      Key
      and corresponding
      Value
      to match. Alternatively, if you want to identify endpoints that do not have a specific key and value, you can select
      Negate
      after you add the
      Key
      and
      Value
      .
      custom-check-plist-1.png
    3. Click
      OK
      to save the HIP object. You can
      Commit
      the changes to view the data in the
      HIP Match
      logs at the next device check-in or continue to step 6.
  6. (
    Optional
    ) Create a HIP profile to allow the HIP object to be evaluated against traffic.
    The HIP profile can be added to a security policy as an additional check for traffic matching that policy. When the traffic is matched to the HIP profile, the security policy rule is enforced on the traffic.
    For more details on creating a HIP profiles, see Configure HIP-Based Policy Enforcement.
    1. Select
      Objects
      GlobalProtect
      HIP Profiles
      .
    2. Select an existing HIP profile or
      Add
      a new one.
    3. Click
      Add Match Criteria
      to open the HIP Objects/Profile Builder.
    4. Select the
      HIP object
      that you want to use as match criteria, and then click the add (
      add_icon.png
      ) icon to move it to the
      Match
      area of the HIP Profile.
    5. After you add the objects to the new HIP profile, click
      OK
      , and then
      Commit
      the changes.
      custom-check-plist-2.png
  7. Add the HIP profile to a security policy so the data collected with the custom check can be used to match to and act on traffic.
    Select
    Policies
    Security
    , and then select an existing security policy or
    Add
    a new one. On the
    User
    tab,
    Add
    the
    HIP Profiles
    to the policy. For more details on security policies components and using security policies to match to and act on traffic, see Security Policy.

Related Documentation