HIP-Based Policy Enforcement Based on the Endpoint Status

Use the following steps to enforce HIP-based security policies based on the status of connecting endpoints:
  1. To identify the endpoint status and enforce HIP-based security policies based on the endpoint's machine certificate, configure a certificate profile.
    The GlobalProtect gateway uses this certificate profile to match the machine certificate sent by the GlobalProtect app in the HIP report. For a successful match, the machine certificate must be signed and issued by the same CA certificate and (optional) template that you configure in the certificate profile. If you do not configure a template, the machine certificate matches based on only the configured CA certificate.
  2. To identify the endpoint status and enforce HIP-based security policies based on the presence of the endpoint serial number, enable group mapping.
    If an endpoint is managed, you can bind the serial number of the endpoint to the machine account of the endpoint in your directory server (such as Active Directory). The firewall can then pre-fetch the serial numbers for these managed endpoints when it retrieves group mapping information from the directory server.
    In your Group Mapping configuration (
    Device
    User Identification
    Group Mapping Settings
    <group-mapping-config>
    ), you must enable the option to
    Fetch list of managed devices
    . This allows the firewall to retrieve serial numbers from the directory server.
    group-mapping-fetch-managed-devices.png
  3. (
    Optional
    ) To identify the endpoint status and enforce HIP-based security policies based on the presence of specific software and settings, you can deploy app settings using the Windows Registry or macOS plist.
    The Windows Registry and macOS plist enable you to deploy app settings directly to endpoints.
  4. Enable the GlobalProtect app to collect HIP data from endpoints.
    • To enable the GlobalProtect app to collect machine certificates from endpoints with this agent configuration, select the
      Certificate profile
      that you configured in Step 1.
      hip-data-collection-cert-profile.png
    • To enable the GlobalProtect app to collect information about the software and settings that are configured on endpoints with this agent configuration, select
      Custom Checks
      and configure any of the following options:
      • Windows
        Add
        the
        Registry Key
        for which you want to collect data. To restrict data collection to a specific value within the
        Registry Key
        , add the corresponding
        Registry Value
        .
        You can also
        Add
        a
        Process List
        to check for specific processes (software) on Windows endpoints.
        hip-data-collection-custom-checks-windows.png
      • Mac
        Add
        the
        Plist
        and corresponding
        Key
        for which you want to collect data.
        You can also
        Add
        a
        Process List
        to check for specific processes (software) on Windows endpoints.
        hip-data-collection-custom-checks-mac.png
  5. When you configure HIP-based policy enforcement, you can create HIP objects to match based on the status of connecting endpoints.
    Configure any of the following options in your HIP object to enable HIP matching based on the endpoint status:
    • Configure HIP matching based on the managed status of the endpoint:
      You can identify the managed status of an endpoint by verifying the presence of the endpoint serial number in the Active Directory or Azure AD. If the serial number exists, the endpoint is managed. If the serial number does not exist, the endpoint is unmanaged.
      1. Select
        General
        .
      2. Select
        Host Info
        to enable matching based on general host information.
      3. Configure the HIP object to match based on the
        Managed
        status of the endpoint:
        • If you set this option to
          Yes
          , the HIP object matches only if the endpoint is managed.
        • If you set this option to
          No
          , the HIP object matches only if the endpoint is unmanaged.
        • If you set this option to
          None
          , the HIP object does not match based on the
          Managed
          status.
        hip-object-managed-status.png
    • Configure HIP matching based on a certificate profile or specific attributes in the endpoint's machine certificate:
      1. Select
        Certificate
        .
      2. Select
        Validate Certificate
        to enable matching based on the certificate profile and certificate attributes.
      3. Select the
        Certificate Profile
        that you configured in Step 1. The GlobalProtect gateway uses this certificate profile to match the machine certificate sent by the GlobalProtect app in the HIP report.
      4. To match based on specific attributes in the endpoint's machine certificate,
        Add
        the
        Certificate Field
        and corresponding
        Value
        in the Certificate Attributes area.
        hip-object-certificate.png
    • Configure HIP matching based on the presence of specific software and settings on the endpoint:
      1. Select
        Custom Checks
        .
      2. Select
        Custom Checks
        to enable matching based on the presence of software and settings on the endpoint.
      3. To check for a specific process (software) on the endpoint, select
        Process List
        and then click
        Add
        . When prompted, enter the process name.
        By default, the app checks for running processes; if you want to see if a specific process is not running, clear the
        Running
        selection. Processes can be operating system level processes or user-space application processes.
        hip-object-custom-checks-process-list.png
      4. To check Windows endpoints for a specific registry key, select
        Registry Key
        and then click
        Add
        . When prompted, enter the
        Registry Key
        and then configure any of the following options:
        • To match only the endpoints that lack the specified registry key or key value, select
          Key does not exist or match the specified value data
          .
        • To match on specific registry values,
          Add
          the
          Registry Value
          and corresponding
          Value Data
          . To match endpoints that do not have the specified value or value data, select
          Negate
          .
          hip-object-custom-checks-registry-key.png
      5. To check macOS endpoints for a specific plist entry, select
        Plist
        and then click
        Add
        . When prompted, enter the
        Plist
        name and then configure any of the following options:
        • To match only the endpoints that do not have the specified plist, select
          Plist does not exist
          .
        • To match on specific key-value pairs within the plist,
          Add
          the plist
          Key
          and corresponding
          Value
          . To match endpoints that do not have the specified key or value, select
          Negate
          .
          hip-object-custom-checks-plist.png
  6. Commit
    your changes.

Related Documentation