Policy Object: HIP Profiles

Network Security

Policy Object: HIP Profiles

Table of Contents

Policy Object: HIP Profiles

Where Can I Use This?
What Do I Need?
  • NGFW (Cloud Managed)
  • NGFW (PAN-OS & Panorama Managed)
  • Prisma Access (Cloud Management)
  • Prisma Access (Panorama Managed)
Check for any license or role requirements for the products you're using:
  • Prisma Access
    license or AIOps for NGFW license
HIP profile is a collection of HIP objects to be evaluated together either for monitoring or for Security policy enforcement that you use to set up HIP-enabled security policies. When creating HIP profiles, you can combine the HIP objects you previously created (as well as other HIP profiles) by using Boolean logic, so that when a traffic flow is evaluated against the resulting HIP profile, it will either match or not match. Upon a match, the corresponding policy rule is enforced; if there is no match, the flow is evaluated against the next rule (as with any other policy matching criteria).
To configure this and any other Object settings, go to:
  • Manage
    NGFW and
    Prisma Access
    on Cloud Managed deployments, and select the object you want to configure.
  • Objects
    on PAN-OS and Panorama Managed deployments, and select the object you want to configure from the panel on the left.

HIP Profiles Fields

The following table provides information on the fields in the HIP Profile object.
HIP Profile Settings
Enter a name for the profile (up to
characters). The name is case-sensitive and must be unique. Use only letters, numbers, spaces, hyphens, and underscores.
) Enter a description.
to make the current HIP profile available to:
  • Every virtual system (vsys), if you are logged in to multiple virtual system mode. If you clear this selection, the profile is available only to the vsys selected in the
    Virtual System
    drop-down on the
    tab. For a non multi-vsys mode, this option does not appear in the HIP Profile dialog.
  • All device groups on Panorama. If you clear this selection, the profile is available only to the device group selected in the
    Device Group
    drop-down on the
After you save the profile, you cannot change its
setting. Select
HIP Profiles
to view the current
Disable override (
Panorama only
Controls override access to the HIP profile in device groups that are descendants of the
Device Group
selected in the
tab. Select this option if you want to prevent administrators from creating local copies of the profile in descendant device groups by overriding its inherited values. This option is cleared by default (override is enabled).
Add Match Criteria
to open the HIP Objects/Profiles Builder.
Select the first HIP object or profile you want to use as match criteria and then add it to the
text box on the HIP Objects/Profiles Builder dialog. Keep in mind that if you want the HIP profile to evaluate the object as a match only when the criteria in the object is not true for a flow, select
before adding the object.
Continue adding match criteria as appropriate for the profile you are building, and ensure you select the appropriate Boolean operator (
) between each addition (and using the
operator when appropriate).
To create a complex Boolean expression, you must manually add the parenthesis in the proper places in the
text box to ensure that the HIP profile is evaluated using the intended logic. For example, the following expression indicates that the HIP profile will match traffic from a host that has either FileVault disk encryption (
Mac OS systems
) or TrueCrypt disk encryption (
Windows systems
) and also belongs to the required Domain and has a Symantec antivirus client installed:
((“MacOS” and “FileVault”) or (“Windows” and “TrueCrypt”)) and “Domain” and “SymantecAV”
When you have finished adding the objects and profiles to the new HIP profile, click

Recommended For You