Objects > GlobalProtect > HIP Profiles
Select ObjectsGlobalProtectHIP Profiles to create the HIP profiles—a collection of HIP objects to be evaluated together either for monitoring or for Security policy enforcement—that you use to set up HIP-enabled security policies. When creating HIP profiles, you can combine the HIP objects you previously created (as well as other HIP profiles) by using Boolean logic, so that when a traffic flow is evaluated against the resulting HIP profile, it will either match or not match. Upon a match, the corresponding policy rule is enforced; if there is no match, the flow is evaluated against the next rule (as with any other policy matching criteria).
To create a HIP profile, click Add. The following table provides information on what to enter in the fields in the HIP Profile dialog. For more detailed information on setting up GlobalProtect and the workflow for creating HIP-augmented security policies, refer to Configure HIP-Based Policy Enforcement in the GlobalProtect Administrator’s Guide.
HIP Profile Settings
Enter a name for the profile (up to 31 characters). The name is case-sensitive and must be unique. Use only letters, numbers, spaces, hyphens, and underscores.
(Optional) Enter a description.
Select Shared to make the current HIP profile available to:
After you save the profile, you cannot change its Shared setting. Select ObjectsGlobalProtectHIP Profiles to view the current Location.
Disable override (Panorama only)
Controls override access to the HIP profile in device groups that are descendants of the Device Group selected in the Objects tab. Select this option if you want to prevent administrators from creating local copies of the profile in descendant device groups by overriding its inherited values. This option is cleared by default (override is enabled).
Click Add Match Criteria to open the HIP Objects/Profiles Builder.
Select the first HIP object or profile you want to use as match criteria and then add ( ) it to the Match text box on the HIP Objects/Profiles Builder dialog. Keep in mind that if you want the HIP profile to evaluate the object as a match only when the criteria in the object is not true for a flow, select NOT before adding the object.
Continue adding match criteria as appropriate for the profile you are building, and ensure you select the appropriate Boolean operator (AND or OR) between each addition (and using the NOT operator when appropriate).
To create a complex Boolean expression, you must manually add the parenthesis in the proper places in the Match text box to ensure that the HIP profile is evaluated using the intended logic. For example, the following expression indicates that the HIP profile will match traffic from a host that has either FileVault disk encryption (Mac OS systems) or TrueCrypt disk encryption (Windows systems) and also belongs to the required Domain and has a Symantec antivirus client installed:
((“MacOS” and “FileVault”) or (“Windows” and “TrueCrypt”)) and “Domain” and “SymantecAV”
When you have finished adding the objects and profiles to the new HIP profile, click OK.
Configure HIP-Based Policy Enforcement
Configure HIP-Based Policy Enforcement To enable the use of host information in policy enforcement, you must complete the following steps. For more information on the ...
Objects > GlobalProtect > HIP Objects
Objects > GlobalProtect > HIP Objects Select Objects GlobalProtect HIP Objects to define objects for a host information profile (HIP). HIP objects provide the matching ...
Collect Application and Process Data From Endpoints
Collect Application and Process Data From Endpoints The Windows Registry and macOS plist can be used to configure and store settings for Windows and Mac ...
How Does the Gateway Use the Host Information to Enforce Policy?
How Does the Gateway Use the Host Information to Enforce Policy? While the app gets the information about what information to collect from the client ...
HIP Objects Certificate Tab
HIP Objects Certificate Tab Objects GlobalProtect HIP Objects Certificate Select the Certificate tab to enable HIP matching based on the certificate profile and other certificate ...
HIP Objects General Tab
HIP Objects General Tab Objects GlobalProtect HIP Objects General Select the General tab to specify a name for the new HIP object and configure the ...
GlobalProtect Portals Agent Data Collection Tab
GlobalProtect Portals Agent HIP Data Collection Tab Network GlobalProtect Portals Agent HIP Data Collection Select the HIP Data Collection tab to define the data that ...
How Do Users Know if Their Systems are Compliant?
How Do Users Know if Their Systems are Compliant? By default, end users are not given any information about policy decisions that were made as ...
HIP-Based Policy Enforcement Based on the Endpoint Status
HIP-Based Policy Enforcement Based on the Endpoint Status Use the following steps to enforce HIP-based security policies based on the status of connecting endpoints: To ...