End-of-Life (EoL)
Select Objects > GlobalProtect > HIP Objects to define objects for a host information profile ( HIP). HIP objects provide the matching criteria for filtering the raw data reported by an agent or app that you want to use to enforce policy. For example, if the raw host data includes information about several antivirus packages on a client, you might be interested in a particular application because your organization requires that package. For this scenario, you create a HIP object to match the specific application you want to enforce.
The best way to determine the HIP objects you need is to determine how you will use the host information to enforce policy. Keep in mind that the HIP objects are merely building blocks that allow you to create the HIP profiles that your security policies can use. Therefore, you may want to keep your objects simple, matching on one thing, such as the presence of a particular type of required software, membership in a specific domain, or the presence of a specific client OS. With this approach, you have the flexibility to create a very granular, HIP-augmented policy.
To create a HIP object, click Add to open the HIP Object dialog. For a description of what to enter in a specific field, see the tables that follow.
For more detailed information on creating HIP-augmented security policies, refer to Configure HIP-Based Policy Enforcement in the GlobalProtect Administrator’s Guide .
HIP Objects General Tab
Select Objects > GlobalProtect > HIP Objects > General to specify a name for the new HIP object and configure the object to match against general host information such as domain, operating system, or type of network connectivity.
HIP Object General Setting Description
Name Enter a name for the HIP object (up to 31 characters). The name is case-sensitive and must be unique. Use only letters, numbers, spaces, hyphens, and underscores.
Shared If you select Shared, the current HIP objects become available to: Every virtual system (vsys) on the firewall, if you are logged in to a firewall that is in multiple virtual system mode. If you clear this selection, the object will be available to only the vsys selected in the Virtual System drop-down of the Objects tab. For a firewall that is not in multi-vsys mode, this option is not available in the HIP Object dialog. All device groups on Panorama™. If you clear this selection, the object will be available only to the device group selected in the Device Group drop-down of the Objects tab. After you save the object, you cannot change its Shared setting. Select Objects > GlobalProtect > HIP Objects to see the current Location.
Description Enter an optional description.
Disable override ( Panorama only ) Controls override access to the HIP object in the device groups that are descendants of the Device Group selected in the Objects tab. Select this option to prevent administrators from creating local copies of the object in descendant device groups by overriding its inherited values. This option is cleared by default (override is enabled).
Host Info Select this option to activate the options for configuring the host information.
Domain To match on a domain name, choose an operator from the drop-down and enter a string to match.
OS To match on a host OS, choose Contains from the first drop-down, select a vendor from the second drop-down, and then select an OS version from the third drop-down; or you can select All to match on any OS version from the selected vendor.
Client Versions To match on a specific version number, select an operator from the drop-down and then enter a string to match (or not match) in the text box.
Host Name To match on a specific host name or part of a host name, select an operator from the drop-down and then enter a string to match (or not match, depending on what operator you selected) in the text box.
Host ID The host ID is a unique ID that GlobalProtect assigns to identify the host. The host ID value varies by device type: Windows—Machine GUID stored in the Windows registry (HKEY_Local_Machine\Software\Microsoft\Cryptography\MachineGuid) macOS—MAC address of the first built-in physical network interface Android—Android ID iOS—UDID Chrome—GlobalProtect assigned unique alphanumeric string with length of 32 characters To match on a specific host ID, select the operator from the drop-down and then enter a string to match (or not match, depending on what operator you selected) in the text box.
Network Use this field to enable filtering on a specific mobile device network configuration. This match criteria applies to mobile devices only. Select an operator from the drop-down and then select the type of network connection to filter on from the second drop-down— Wifi, Mobile, Ethernet (available only for Is Not filters), or Unknown. After you select a network type, enter any additional strings to match on, if available, such as the Mobile Carrier or Wifi SSID.
HIP Objects Mobile Device Tab
Select Objects > GlobalProtect > HIP Objects > Mobile Device to enable HIP matching on data collected from mobile devices that run the GlobalProtect app.
To collect mobile device attributes and utilize them in HIP enforcement policies, GlobalProtect requires an MDM server. GlobalProtect currently supports HIP integration with the AirWatch MDM server.
HIP Object Mobile Device Setting Description
Mobile Device Select this option to enable filtering on host data collected from mobile devices that are running the GlobalProtect app and to enable the Device, Settings, and Apps tabs.
Device tab Serial Number —To match on all or part of a device serial number, choose an operator from the drop-down and enter a string to match. Model —To match on a particular device model, choose an operator from the drop-down and enter a string to match. Tag —To match on tag value defined on the GlobalProtect Mobile Security Manager, choose an operator from the first drop-down and then select a tag from the second drop-down. Phone Number —To match on all or part of a device phone number, choose an operator from the drop-down and enter a string to match. IMEI —To match on all or part of a device International Mobile Equipment Identity (IMEI) number, choose an operator from the drop-down and enter a string to match.
Settings tab Passcode —Filter based on whether the device has a passcode set. To match devices that have a passcode set, select Yes. To match devices that do not have a passcode set, select no. Device Managed —Filter based on whether the device is managed by an MDM. To match devices that are managed, select Yes. To match devices that are not managed, select No. Rooted/Jailbroken —Filter based on whether the device has been rooted or jailbroken. To match devices that have been rooted or jailbroken, select Yes. To match devices that have not been rooted or jailbroken, select No. Disk Encryption —Filter based on whether the device data has been encrypted. To match devices that have disk encryption enabled, select yes. To match devices that do not have disk encryption enabled, select no. Time Since Last Check-in —Filter based on when the device last checked in with the MDM. Select an operator from the drop-down and then specify the number of days for the check-in window. For example, you could define the object to match devices that have not checked in within the last 5 days.
Apps tab Apps —( Android devices only ) Select this option to enable filtering based on the apps that are installed on the device and whether or not the device has any malware-infected apps installed. Criteria tab Has Malware —To match devices that have malware-infected apps installed select Yes ; to match devices that do not have malware-infected apps installed, select No. If you do not want to use Has Malware as match criteria, select None. Include tab Package —To match devices that have specific apps installed, click Add and then enter the unique app name (in reverse DNS format; for example, com.netflix.mediaclient) in the Package field and enter the corresponding app Hash, which the GlobalProtect app calculates and submits with the device HIP report.
HIP Objects Patch Management Tab
Select Objects > GlobalProtect > HIP Objects > Patch Management to enable HIP matching on the patch status of the GlobalProtect clients.
HIP Object Patch Management Setting Description
Patch Management Select this option to enable matching on the patch management status of the host and enable the Criteria and Vendor tabs.
Criteria tab Specify the following settings: Is Installed —Match on whether patch management software is installed on the host. Is Enabled —Match on whether patch management software is enabled on the host. If the Is Installed selection is cleared, this field is automatically set to None and is disabled for editing. Severity —Select from the list of logical operators for matching on whether the host has missing patches of the specified severity number. Use the following mappings between the GlobalProtect severity values and the OPSWAT severity ratings to understand what each value means: 0—Low 1—Moderate 2—Important 3—Critical Check —Match on whether the endpoint has missing patches. Patches —Match on whether the host has specific patches. Click Add and enter the KB article IDs for the specific patches to check for. For example, enter 3128031 to check for the Update for Microsoft Office 2010 (KB3128031) 32-Bit Edition.
Vendor tab Define specific vendors of patch management software and products to look for on the endpoint to determine a match. Click Add and then choose a Vendor from the drop-down. Optionally, click Add to choose a specific Product. Click OK to save the settings.
HIP Objects Firewall Tab
Select Objects > GlobalProtect > HIP Objects > Firewall to enable HIP matching based on the firewall software status of the GlobalProtect clients.
HIP Object Firewall Settings
Select Firewall to enable matching on the firewall software status of the host: Is Installed —Match on whether firewall software is installed on the host. Is Enabled —Match on whether firewall software is enabled on the host. If the Is Installed selection is cleared, this field is automatically set to None and is disabled for editing. Vendor and Product —Define specific firewall software vendors and/or products to look for on the host to determine a match. Click Add and then choose a Vendor from the drop-down. Optionally, click Add to choose a specific Product. Click OK to save the settings. Exclude Vendor —Select this option to match hosts that do not have software from the specified vendor.
HIP Objects Antivirus Tab
Select Objects > GlobalProtect > HIP Objects > Antivirus to enable HIP matching based on the antivirus coverage on the GlobalProtect clients.
HIP Object Antivirus Settings
Select Antivirus to enable matching on the antivirus coverage on the host and then define additional matching criteria for the match as follows: Is Installed —Match on whether antivirus software is installed on the host. Real Time Protection —Match on whether real-time antivirus protection is enabled on the host. If the Is Installed selection is cleared, this field is automatically set to None and is disabled for editing. Virus Definition Version —Match when the virus definitions have been updated within a specified number of days or release versions. Product Version —Match a specific version of the antivirus software. To specify a version, select an operator from the drop-down and then enter a string representing the product version. Last Scan Time —Match on the time that the last antivirus scan was run. Select an operator from the drop-down and then specify a number of Days or Hours to match against. Vendor and Product —Define specific antivirus software vendors and/or products to look for on the host to determine a match. Click Add and then choose a Vendor from the drop-down. Optionally, click Add to choose a specific Product. Click OK to save the settings. Exclude Vendor —Select this option to match hosts that do not have software from the specified vendor.
HIP Objects Anti-Spyware Tab
Select Objects > GlobalProtect > HIP Objects > Anti-Spyware to enable HIP matching based on the anti-spyware coverage on the GlobalProtect clients.
HIP Object Anti-Spyware Settings
Select Anti-Spyware to enable matching on the anti-spyware coverage on the host and then define additional matching criteria for the match as follows: Real Time Protection —Match on whether real-time anti-spyware protection is enabled on the host. If the Is Installed selection is cleared, this field is automatically set to None and is disabled for editing. Is Installed —Match on whether anti-spyware software is installed on the host. Virus Definition Version —Select an operator from the list and then enter the versions of virus definition to match. If the operator is Within or Not Within, specify a number of days or release versions. Product Version —Select an operator from the list and then enter the product version to match a specific version of anti-spyware software. Last Scan Time —Specify whether to match based on the time that the last anti-spyware scan ran. Select an operator and then specify a number of Days or Hours to match. Vendor and Product —Define specific anti-spyware software vendors or products to look for on the host to determine a match. Click Add and then choose a Vendor from the drop-down. Optionally, click Add to choose a specific Product. Click OK to save the settings. Exclude Vendor —Select this option to match hosts that do not have software from the specified vendor.
HIP Objects Disk Backup Tab
Select Objects > GlobalProtect > HIP Objects > Disk Backup to enable HIP matching based on the disk backup status of the GlobalProtect clients.
HIP Object Disk Backup Settings
Select Disk Backup to enable matching on the disk backup status on the host and then define additional matching criteria for the match as follows: Is Installed —Match on whether disk backup software is installed on the host. Last Backup Time —Specify whether to match based on the time that the last disk backup was run. Select an operator from the drop-down and then specify a number of Days or Hours to match against. Vendor and Product —Define specific disk backup software vendors and products to match on the host. Click Add and then choose a Vendor from the drop-down. Optionally, click Add to choose a specific Product. Click OK to save the settings. Exclude Vendor —Select this option to match hosts that do not have software from the specified vendor.
HIP Objects Disk Encryption Tab
Select Objects > GlobalProtect > HIP Objects > Disk Encryption to enable HIP matching based on the disk encryption status of the GlobalProtect clients.
HIP Object Disk Encryption Setting Description
Disk Encryption Select Disk Encryption to enable matching on the disk encryption status on the host.
Criteria Specify the following settings: Is Installed —Match on whether disk encryption software is installed on the host. Encrypted Locations —Click Add to specify the drive or path to check for disk encryption when determining a match: Encrypted Locations —Enter specific locations to check for encryption on the host. State —Specify how to match the state of the encrypted location by choosing an operator from the drop-down and then selecting a possible state ( full, none, partial, not-available). Click OK to save the settings.
Vendor Define specific disk encryption software vendors and products to match on the endpoint. Click Add and then choose a Vendor from the drop-down. Optionally, click Add to choose a specific Product. Click OK to save the settings and return to the Disk Encryption tab.
HIP Objects Data Loss Prevention Tab
Select Objects > GlobalProtect > HIP Objects > Data Loss Prevention to configure HIP matching that is based on whether the GlobalProtect clients are running data loss prevention software.
HIP Object Data Loss Prevention Settings
Select Data Loss Prevention to enable matching on the data loss prevention (DLP) status on the host ( Windows hosts only ) and then define additional matching criteria for the match as follows: Is Enabled —Match on whether DLP software is enabled on the host. If the Is Installed selection is cleared, this field is automatically set to None and is disabled for editing. Is Installed —Match on whether DLP software is installed on the host. Vendor and Product —Define specific DLP software vendors and/or products to look for on the host to determine a match. Click Add and then choose a Vendor from the drop-down. Optionally, click Add to choose a specific Product. Click OK to save the settings. Exclude Vendor —Select this option to match hosts that do not have software from the specified vendor.
HIP Objects Custom Checks Tab
Select Objects > GlobalProtect > HIP Objects > Custom Checks to enable HIP matching on any custom checks you have defined on the GlobalProtect portal. For details on adding the custom checks to the HIP collection, see Network > GlobalProtect > Portals.
HIP Object Custom Checks Setting Description
Custom Checks Select Custom Checks to enable matching on custom checks you defined on the GlobalProtect portal.
Process List To check the host system for a specific process, click Add and then enter the process name. By default, the agent checks for running processes; if you want to see if a specific process is not running, clear the Running selection. Processes can be operating system level processes or user-space application processes.
Registry Key To check Windows hosts for a specific registry key, click Add and enter the Registry Key to match. To match only the hosts that lack the specified registry key or the key’s value, mark the Key does not exist or match the specified value data box. To match on specific values, click Add and then enter the Registry Value and Value Data. To match hosts that explicitly do not have the specified value or value data, select Negate. Click OK to save the settings.
Plist To check Mac hosts for a specific entry in the property list (plist), click Add and enter the Plist name. To match only the hosts that do not have the specified plist, select Plist does not exist. To match on specific key-value pair within the plist, click Add and then enter the Key and the corresponding Value to match. To match hosts that explicitly do not have the specified key or value, select Negate. Click OK to save the settings.

Recommended For You