Prisma Access
Configure HIP Data Collection Settings for Dynamic Privilege Access
Table of Contents
Configure HIP Data Collection Settings for Dynamic Privilege Access
Define any custom host information profile data that you want the to collect or
exclude from collection on the endpoints that logged in using a project.
| Where Can I Use This? | What Do I Need? |
|---|---|
|
|
The Prisma Access Agent collects information about the host it's
running on and submits this host information to the gateway upon successful
connection. The gateway matches this raw host information submitted by the Prisma
Access Agent against any host information profile (HIP) objects and HIP Profiles
that you have defined. If it finds a match, it generates an entry in the HIP Match
log. Additionally, if it finds a HIP Profile match in a policy rule, it enforces the
corresponding security policy.
In the HIP Notifications tab of the Edit Global
Agent Settings page, you can create HIP notifications, create and manage HIP
objects, and create and manage HIP Profiles that apply to the Prisma Access Agent across all endpoints.
Here, you can define custom HIP data that you want the Prisma Access
Agent to collect. When this option is enabled, the Prisma Access
Agent collects data from devices running macOS or Windows operating systems.
For example, a custom check could enable you to know whether a certain
application is installed or running on an endpoint. The data that you define to be
collected in a custom check is included in the raw host information data that the
Prisma Access Agent collects and then submits to the gateway when the Prisma Access
Agent connects.
- From Strata Cloud Manager, select and expand the Configuration Scope to view the Snippets.Select the snippet that the Superuser admin assigned to you.Select to open the Dynamic Privilege Access settings.Select the Agent Settings tab.Add Agent Settings or select an existing configuration from the Agent Setting table.In the Host Information Profile (HIP) section, select Collect HIP Data to enable HIP data collection on the endpoints that logged in using a project.Select Show Advanced Options.
![]()
Specify the Max Wait Time (in seconds) that the Prisma Access Agent should search for HIP data before submitting the available data. The range is 10-60 seconds; the default is 20 seconds.Select the Certificate Profile that the gateway uses to match the machine certificate sent by the Prisma Access Agent.If you want to use a certificate profile that isn't on the list, Add Certificate Profile.- (Required) Name—Enter a name for the certificate profile. The name is case-sensitive and must be unique. Use only letters, numbers, spaces, hyphens, and underscores.
![]()
- (Required) CA Certificates—Add a CA Certificate to assign to the profile.Optionally, if the gateway uses the Online Certificate Status Protocol (OCSP) to verify certificate revocation status, configure the following fields to override the default behavior. For most deployments, these fields do not apply.
- By default, the gateway uses the Authority Information Access (AIA) information from the certificate to extract the OCSP responder information. To override the AIA information, enter a Default OCSP URL (starting with http:// or https://).
- By default, the gateway uses the certificate selected in the CA Certificate field to validate OCSP responses. To use a different certificate for validation, select it in the OCSP Verify CA Certificate field.
- Show Advance Options—Shows more options for the certificate profile.
![]()
- Username Field—If Prisma Access Agent uses only certificates for gateway authentication, Prisma Access uses the certificate field you select in the Username Field drop-down as the username and matches it to the IP address for the User-ID service:
- Subject—The Common Name.
- Subject Alt—The Email or Principal Name.
- None—Typically for the Prisma Access Agent device authentication.
- User Domain—Enter the NetBIOS domain so that Prisma Access can map users through the User-ID.
- Use CRL—Select this option to use a certificate revocation list (CRL) to verify the revocation status of certificates.
- USE OCSP—Select this option to use OCSP to verify the revocation status of certificates.If you select both OCSP and CRL, the gateway first tries OCSP, and only falls back to the CRL method if the OCSP responder is unavailable.
- CRL Receive Timeout—Specify the interval (1-60 seconds) after which the gateway stops waiting for a response from the CRL service.
- OCSP Receive Timeout—Specify the interval (1-60 seconds) after which the gateway stops waiting for a response from the OCSP responder.
- Certificate Status Timeout—Specify the interval (1-60 seconds) after which the gateway stops waiting for a response from any certificate status service and applies any session blocking logic you define.
- Block session if certificate status is unknown—Select this option if you want the gateway to block sessions when the OCSP or CRL service returns a certificate revocation status of unknown. Otherwise, the gateway proceeds with the sessions.
- Block sessions if certificate status cannot be retrieved within timeout—Select this option if you want the gateway to block sessions after it registers an OCSP or CRL request timeout. Otherwise, the gateway proceeds with the sessions.
- Block sessions if the certificate was not issued to the authenticating device—Select this option if you want the gateway to block sessions when the serial number attribute in the subject of the client certificate does not match the host ID that the Prisma Access Agent reports for the endpoint. Otherwise, the gateway allows the sessions. This option applies only to Prisma Access Agent certificate authentication.
Save your settings when you're done.Edit Custom Checks to define any custom data you want to collect from the hosts running this configuration.![]()
For example, if you have any required applications that are not included in the Vendor or Product lists for creating HIP objects, you can create a custom check to determine whether that application is installed (it has a corresponding Windows registry or Mac plist key) or is currently running (has a corresponding running process):- Windows—Add a check for a particular Registry Key or Registry Value. To restrict data collection to a specific Registry Value, Add and then define the specific registry values.
- Mac—Add a check for a particular Plist key or Key value. To restrict the data collection to specific key values, Add the Key values. Click OK to save the settings.
- Process List—Add the processes you want to check for on user endpoints to see if they are running. For example, to determine whether a software application is running, add the name of the executable file to the process list. You can add a process to the Windows tab, the Mac tab, or both.
Save the custom check settings when you are done.When you have finished configuring the project-specific Prisma Access Agent settings, Save the configuration.
