HIP-Based Policy Enforcement Based on the Endpoint Status

Use the following steps to enforce HIP-based security policies based on the status of connecting endpoints:
  1. To identify the endpoint status and enforce HIP-based security policies based on the endpoint's machine certificate, configure a certificate profile.
    The GlobalProtect gateway uses this certificate profile to match the machine certificate sent by the GlobalProtect app in the HIP report. For a successful match, the machine certificate must be signed and issued by the same CA certificate and (optional) template that you configure in the certificate profile. If you do not configure a template, the machine certificate matches based on only the configured CA certificate.
  2. To identify the endpoint status and enforce HIP-based security policies based on the presence of the endpoint serial number, enable group mapping.
    If an endpoint is managed, you can bind the serial number of the endpoint to the machine account of the endpoint in your directory server (such as Active Directory). The firewall can then pre-fetch the serial numbers for these managed endpoints when it retrieves group mapping information from the directory server.
    In your Group Mapping configuration (DeviceUser IdentificationGroup Mapping Settings<group-mapping-config>), you must enable the option to Fetch list of managed devices. This allows the firewall to retrieve serial numbers from the directory server.
    group-mapping-fetch-managed-devices.png
  3. (Optional) To identify the endpoint status and enforce HIP-based security policies based on the presence of specific software and settings, you can deploy app settings using the Windows Registry or macOS plist.
    The Windows Registry and macOS plist enable you to deploy app settings directly to endpoints.
  4. Set up access to the GlobalProtect portal.
  5. Define an agent configuration on the portal.
  6. Enable the GlobalProtect app to collect HIP data from endpoints.
    • To enable the GlobalProtect app to collect machine certificates from endpoints with this agent configuration, select the Certificate profile that you configured in Step 1.
      hip-data-collection-cert-profile.png
    • To enable the GlobalProtect app to collect information about the software and settings that are configured on endpoints with this agent configuration, select Custom Checks and configure any of the following options:
      • WindowsAdd the Registry Key for which you want to collect data. To restrict data collection to a specific value within the Registry Key, add the corresponding Registry Value.
        You can also Add a Process List to check for specific processes (software) on Windows endpoints.
        hip-data-collection-custom-checks-windows.png
      • MacAdd the Plist and corresponding Key for which you want to collect data.
        You can also Add a Process List to check for specific processes (software) on Windows endpoints.
        hip-data-collection-custom-checks-mac.png
  7. Configure a GlobalProtect gateway.
  8. Configure HIP-based policy enforcement.
    When you configure HIP-based policy enforcement, you can create HIP objects to match based on the status of connecting endpoints.
    Configure any of the following options in your HIP object to enable HIP matching based on the endpoint status:
    • Configure HIP matching based on the managed status of the endpoint:
      You can identify the managed status of an endpoint by verifying the presence of the endpoint serial number in the Active Directory or Azure AD. If the serial number exists, the endpoint is managed. If the serial number does not exist, the endpoint is unmanaged.
      1. Select General.
      2. Select Host Info to enable matching based on general host information.
      3. Configure the HIP object to match based on the Managed status of the endpoint:
        • If you set this option to Yes, the HIP object matches only if the endpoint is managed.
        • If you set this option to No, the HIP object matches only if the endpoint is unmanaged.
        • If you set this option to None, the HIP object does not match based on the Managed status.
        hip-object-managed-status.png
    • Configure HIP matching based on a certificate profile or specific attributes in the endpoint's machine certificate:
      1. Select Certificate.
      2. Select Validate Certificate to enable matching based on the certificate profile and certificate attributes.
      3. Select the Certificate Profile that you configured in Step 1. The GlobalProtect gateway uses this certificate profile to match the machine certificate sent by the GlobalProtect app in the HIP report.
      4. To match based on specific attributes in the endpoint's machine certificate, Add the Certificate Field and corresponding Value in the Certificate Attributes area.
        hip-object-certificate.png
    • Configure HIP matching based on the presence of specific software and settings on the endpoint:
      1. Select Custom Checks.
      2. Select Custom Checksto enable matching based on the presence of software and settings on the endpoint.
      3. To check for a specific process (software) on the endpoint, select Process List and then click Add. When prompted, enter the process name.
        By default, the app checks for running processes; if you want to see if a specific process is not running, clear the Running selection. Processes can be operating system level processes or user-space application processes.
        hip-object-custom-checks-process-list.png
      4. To check Windows endpoints for a specific registry key, select Registry Key and then click Add. When prompted, enter the Registry Key and then configure any of the following options:
        • To match only the endpoints that lack the specified registry key or key value, select Key does not exist or match the specified value data.
        • To match on specific registry values, Add the Registry Value and corresponding Value Data. To match endpoints that do not have the specified value or value data, select Negate.
          hip-object-custom-checks-registry-key.png
      5. To check macOS endpoints for a specific plist entry, select Plist and then click Add. When prompted, enter the Plist name and then configure any of the following options:
        • To match only the endpoints that do not have the specified plist, select Plist does not exist.
        • To match on specific key-value pairs within the plist, Add the plist Key and corresponding Value. To match endpoints that do not have the specified key or value, select Negate.
          hip-object-custom-checks-plist.png
  9. Commit your changes.

Related Documentation