Policy Object: HIP Objects
Focus
Focus
Network Security

Policy Object: HIP Objects

Table of Contents

Policy Object: HIP Objects

HIP objects provide the matching criteria for filtering the raw data reported by an app that you want to use to enforce policy.
Where Can I Use This?
What Do I Need?
  • NGFW (Cloud Managed)
  • NGFW (PAN-OS & Panorama Managed)
  • Prisma Access (Cloud Management)
  • Prisma Access (Panorama Managed)
Check for any license or role requirements for the products you're using.
HIP Objects are used to define objects for a host information profile (HIP). HIP objects provide the matching criteria for filtering the raw data reported by an app that you want to use to enforce policy. For example, if the raw host data includes information about several antivirus packages on an endpoint, you might be interested in a particular application because your organization requires that package. For this scenario, you create a HIP object to match the specific application you want to enforce.
The best way to determine the HIP objects you need is to determine how you will use the host information to enforce policy. Keep in mind that the HIP objects are merely building blocks that allow you to create the HIP profiles that your Security policies can use. Therefore, you may want to keep your objects simple, matching on one thing, such as the presence of a particular type of required software, membership in a specific domain, or the presence of a specific endpoint OS. With this approach, you have the flexibility to create a very granular, HIP-augmented policy.

Add a HIP Object

Cloud Managed

Define objects for a host information profile (HIP).
Select
Manage
Configuration
NGFW and Prisma Access
Objects
HIP
HIP Objects
to define objects for a host information profile (HIP). HIP objects provide the matching criteria for filtering the raw data reported by an app that you want to use to enforce policy. For example, if the raw host data includes information about several antivirus packages on an endpoint, you might be interested in a particular application because your organization requires that package. For this scenario, you create a HIP object to match the specific application you want to enforce.
The best way to determine the HIP objects you need is to determine how you will use the host information to enforce policy. Keep in mind that the HIP objects are merely building blocks that allow you to create the HIP Profiles that your security rules can use. Therefore, you may want to keep your objects simple, matching on one thing, such as the presence of a particular type of required software, membership in a specific domain, or the presence of a specific endpoint OS. With this approach, you have the flexibility to create a very granular, HIP-augmented policy.
To create a HIP object, select
Add HIP Object
to open the HIP object dialog. For a description of what to enter in a specific field, see the tables that follow.
For more detailed information on creating HIP-augmented security rules, refer to Configure HIP-Based Policy Enforcement in the GlobalProtect Administrator’s Guide.

Create a HIP Profile

HIP Profile is a collection of HIP objects to be evaluated together either for monitoring or for Security policy enforcement that you use to set up HIP-enabled security rules. When creating HIP Profiles, you can combine the HIP objects you previously created (as well as other HIP Profiles) by using Boolean logic, so that when a traffic flow is evaluated against the resulting HIP Profile, it will either match or not match. Upon a match, the corresponding security rule is enforced; if there is no match, the flow is evaluated against the next rule (as with any other policy matching criteria).
  1. Go to
    Manage
    Configuration
    NGFW and Prisma Access
    Objects
    HIP
    HIP Profiles
    .
  2. Add HIP Profile
    .
  3. Configure the settings in this table:
    HIP Profile Settings
    Description
    Name
    Enter a name for the profile (up to
    31
    characters). The name is case-sensitive and must be unique. Use only letters, numbers, spaces, hyphens, and underscores.
    Description
    (
    Optional
    ) Enter a description.
    Match
    Click
    Add Match Criteria
    to open the HIP Objects/Profiles Builder.
    Select the first HIP object or profile you want to use as match criteria and then add it to the
    Match
    text box on the HIP Objects/Profiles Builder dialog. Keep in mind that if you want the HIP Profile to evaluate the object as a match only when the criteria in the object are not true for a flow, select
    NOT
    before adding the object.
    Continue adding match criteria as appropriate for the profile you're building, and ensure you select the appropriate Boolean operator (
    AND
    or
    OR
    ) between each addition (and using the
    NOT
    operator when appropriate).
    To create a complex Boolean expression, you must manually add the parenthesis in the proper places in the
    Match
    text box to ensure that the HIP Profile is evaluated using the intended logic. For example, the following expression indicates that the HIP Profile will match traffic from a host that has either FileVault disk encryption (
    Mac OS systems
    ) or TrueCrypt disk encryption (
    Windows systems
    ) and also belongs to the required Domain and has a Symantec antivirus client installed:
    ((“MacOS” and “FileVault”) or (“Windows” and “TrueCrypt”)) and “Domain” and “SymantecAV”
    When you have finished adding the objects and profiles to the new HIP Profile, click
    OK
    .
  4. Save
    your configuration.
  5. Select
    Push Config
    to save your configuration and deploy it to your network.

PAN-OS & Panorama

Define objects for a host information profile (HIP).
Select
Objects
GlobalProtect
HIP Objects
to define objects for a host information profile (HIP). HIP objects provide the matching criteria for filtering the raw data reported by an app that you want to use to enforce policy. For example, if the raw host data includes information about several antivirus packages on an endpoint, you might be interested in a particular application because your organization requires that package. For this scenario, you create a HIP object to match the specific application you want to enforce.
The best way to determine the HIP objects you need is to determine how you will use the host information to enforce policy. Keep in mind that the HIP objects are merely building blocks that allow you to create the HIP Profiles that your security rules can use. Therefore, you may want to keep your objects simple, matching on one thing, such as the presence of a particular type of required software, membership in a specific domain, or the presence of a specific endpoint OS. With this approach, you have the flexibility to create a very granular, HIP-augmented policy.
To create a HIP object, select
Add
to open the HIP object dialog. For a description of what to enter in a specific field, see the tables that follow.
For more detailed information on creating HIP-augmented security rules, refer to Configure HIP-Based Policy Enforcement in the GlobalProtect Administrator’s Guide.

Create a HIP Profile

HIP Profile is a collection of HIP objects to be evaluated together either for monitoring or for Security policy enforcement that you use to set up HIP-enabled security rules. When creating HIP Profiles, you can combine the HIP objects you previously created (as well as other HIP Profiles) by using Boolean logic, so that when a traffic flow is evaluated against the resulting HIP Profile, it will either match or not match. Upon a match, the corresponding security rule is enforced; if there is no match, the flow is evaluated against the next rule (as with any other policy matching criteria).
  1. Go to
    Objects
    GlobalProtect
    HIP Profiles
    .
  2. Add
    a new HIP Profile.
  3. Configure the settings in this table:
    HIP Profile Settings
    Description
    Name
    Enter a name for the profile (up to
    31
    characters). The name is case-sensitive and must be unique. Use only letters, numbers, spaces, hyphens, and underscores.
    Description
    (
    Optional
    ) Enter a description.
    Shared
    Select
    Shared
    to make the current HIP Profile available to:
    • Every virtual system (vsys), if you are logged in to multiple virtual system mode. If you clear this selection, the profile is available only to the vsys selected in the
      Virtual System
      drop-down on the
      Objects
      tab. For a non-multi-vsys mode, this option does not appear in the HIP Profile dialog.
    • All device groups on Panorama. If you clear this selection, the profile is available only to the device group selected in the
      Device Group
      drop-down on the
      Objects
      tab.
    After you save the profile, you can't change its
    Shared
    setting. Select
    Objects
    GlobalProtect
    HIP Profiles
    to view the current
    Location
    .
    Disable override (
    Panorama only
    )
    Controls override access to the HIP Profile in device groups that are descendants of the
    Device Group
    selected in the
    Objects
    tab. Select this option if you want to prevent administrators from creating local copies of the profile in descendant device groups by overriding its inherited values. This option is cleared by default (override is enabled).
    Match
    Click
    Add Match Criteria
    to open the HIP Objects/Profiles Builder.
    Select the first HIP object or profile you want to use as match criteria and then add it to the
    Match
    text box on the HIP Objects/Profiles Builder dialog. Keep in mind that if you want the HIP Profile to evaluate the object as a match only when the criteria in the object are not true for a flow, select
    NOT
    before adding the object.
    Continue adding match criteria as appropriate for the profile you're building, and ensure you select the appropriate Boolean operator (
    AND
    or
    OR
    ) between each addition (and using the
    NOT
    operator when appropriate).
    To create a complex Boolean expression, you must manually add the parenthesis in the proper places in the
    Match
    text box to ensure that the HIP Profile is evaluated using the intended logic. For example, the following expression indicates that the HIP Profile will match traffic from a host that has either FileVault disk encryption (
    Mac OS systems
    ) or TrueCrypt disk encryption (
    Windows systems
    ) and also belongs to the required Domain and has a Symantec antivirus client installed:
    ((“MacOS” and “FileVault”) or (“Windows” and “TrueCrypt”)) and “Domain” and “SymantecAV”
    When you have finished adding the objects and profiles to the new HIP Profile, select
    OK
    .
  4. Commit
    the configuration.

Recommended For You