HIP-Based Policy Enforcement Based on the Endpoint Status

To identify the endpoint status and enforce HIP-based security policies based on the endpoint's machine certificate, configure a certificate profile.
The GlobalProtect gateway uses this certificate profile to match the machine certificate sent by the GlobalProtect app in the HIP report. For a successful match, the machine certificate must be signed and issued by the same CA certificate and (optional) template that you configure in the certificate profile. If you do not configure a template, the machine certificate matches based on only the configured CA certificate.
To identify the endpoint status and enforce HIP-based security policies based on the presence of the endpoint serial number, enable group mapping.
If an endpoint is managed, you can bind the serial number of the endpoint to the machine account of the endpoint in your directory server (such as Active Directory). The firewall can then pre-fetch the serial numbers for these managed endpoints when it retrieves group mapping information from the directory server.
In your Group Mapping configuration (
Device
User Identification
Group Mapping Settings
<group-mapping-config>
), you must enable the option to
Fetch list of managed devices
. This allows the firewall to retrieve serial numbers from the directory server.

(
Optional
) To identify the endpoint status and enforce HIP-based security policies based on the presence of specific software and settings, you can deploy app settings using the Windows Registry or macOS plist.
The Windows Registry and macOS plist enable you to deploy app settings directly to endpoints.
Set up access to the GlobalProtect portal.
Define an agent configuration on the portal.
Enable the GlobalProtect app to collect HIP data from endpoints.
To enable the GlobalProtect app to collect machine certificates from endpoints with this agent configuration, select the

Certificate profile

that you configured in Step 1.



To enable the GlobalProtect app to collect information about the software and settings that are configured on endpoints with this agent configuration, select

Custom Checks

and configure any of the following options:

Windows

—

Add

the

Registry Key

for which you want to collect data. To restrict data collection to a specific value within the

Registry Key

, add the corresponding

Registry Value

.

You can also

Add

a

Process List

to check for specific processes (software) on Windows endpoints.



Mac

—

Add

the

Plist

and corresponding

Key

for which you want to collect data.

You can also

Add

a

Process List

to check for specific processes (software) on Windows endpoints.


Configure a GlobalProtect gateway.
Configure HIP-based policy enforcement.
When you configure HIP-based policy enforcement, you can create HIP objects to match based on the status of connecting endpoints.
Configure any of the following options in your HIP object to enable HIP matching based on the endpoint status:
Configure HIP matching based on the managed status of the endpoint:

You can identify the managed status of an endpoint by verifying the presence of the endpoint serial number in the Active Directory or Azure AD. If the serial number exists, the endpoint is managed. If the serial number does not exist, the endpoint is unmanaged.

Select

General

.

Select

Host Info

to enable matching based on general host information.

Configure the HIP object to match based on the

Managed

status of the endpoint:

If you set this option to
Yes
, the HIP object matches only if the endpoint is managed.
If you set this option to
No
, the HIP object matches only if the endpoint is unmanaged.
If you set this option to
None
, the HIP object does not match based on the
Managed
status.



Configure HIP matching based on a certificate profile or specific attributes in the endpoint's machine certificate:

Select

Certificate

.

Select

Validate Certificate

to enable matching based on the certificate profile and certificate attributes.

Select the

Certificate Profile

that you configured in Step 1. The GlobalProtect gateway uses this certificate profile to match the machine certificate sent by the GlobalProtect app in the HIP report.

To match based on specific attributes in the endpoint's machine certificate,

Add

the

Certificate Field

and corresponding

Value

in the Certificate Attributes area.



Configure HIP matching based on the presence of specific software and settings on the endpoint:

Select

Custom Checks

.

Select

Custom Checks

to enable matching based on the presence of software and settings on the endpoint.

To check for a specific process (software) on the endpoint, select

Process List

and then click

Add

. When prompted, enter the process name.

By default, the app checks for running processes; if you want to see if a specific process is not running, clear the

Running

selection. Processes can be operating system level processes or user-space application processes.



To check Windows endpoints for a specific registry key, select

Registry Key

and then click

Add

. When prompted, enter the

Registry Key

and then configure any of the following options:

To match only the endpoints that lack the specified registry key or key value, select

Key does not exist or match the specified value data

.

To match on specific registry values,

Add

the

Registry Value

and corresponding

Value Data

. To match endpoints that do not have the specified value or value data, select

Negate

.



To check macOS endpoints for a specific plist entry, select

Plist

and then click

Add

. When prompted, enter the

Plist

name and then configure any of the following options:

To match only the endpoints that do not have the specified plist, select

Plist does not exist

.

To match on specific key-value pairs within the plist,

Add

the plist

Key

and corresponding

Value

. To match endpoints that do not have the specified key or value, select

Negate

.


Commit
your changes.