WiscVPN GlobalProtect Host Information Profile (HIP) Collection

When you use the GlobalProtect client to connect to WiscVPN, GlobalProtect gathers and logs information about your device into what is known as a Host Information Profile (HIP) Report. This information is used to determine whether your device meets UW–Madison security policies and standards (e.g., UW-526 and the Endpoint Management and Security Policy Standards). In addition, the level of security on your device may affect your ability to use it to access specific services. This document provides additional details and examples.

How is the HIP Report used

The HIP Report is used to ensure that a user's device meets the appropriate security requirements to access university systems and services. To do this, the VPN checks data in the HIP Report to confirm whether the device meets the requirements. The results may be used to determine whether the device is permitted to access those systems and services. Users may also receive certain notifications based on the results.

Technical explanation

The VPN service uses defined HIP objects to query the submitted HIP Report data and return true/false answers. HIP profiles are able to combine the results of multiple HIP objects or other profiles into a larger true/false statement. Query results can be used as part of firewall rules to grant or restrict access to services. Query results can also be used to trigger user notifications. Examples are provided below.

HIP object examples

HIP Object: Windows Version

The values from a registry key are queried to determine the complete operating version number on Windows devices. This query can be simplified to:

Is Windows Version 10.0.26200.6584

The results of this can then be used in a profile to determine if the device is running a supported and updated operating system.

HIP Object: Antivirus/Anti-malware

Checks are performed to determine if antivirus/anti-malware is installed, has real-time protection, and has current virus definitions. This query can be simplified to:

Is antivirus/anti-malware installed
AND has real-time protection enabled
AND has virus definitions <= to 7 days

Another check can be used to ensure UW-Madison owned/managed devices have Cisco Secure Endpoint installed, running, and current. This query can be simplified to:

Is antivirus/anti-malware installed
AND has real-time protection enabled
AND vendor is 'Cisco Systems, Inc.'
AND product name is 'Cisco Secure Endpoint' 
AND product version is >= 1.27.0.1046
AND has virus definitions <= to 7 days

Profile example

Profile: UW-Madison Low Security Standards Met

Results from HIP Object and other HIP Profiles are combined to determine if a device meets the UW-Madison Security Standards at the "low" level. This query can be simplified to:

Pass antivirus/anti-malware HIP Object
AND operating system version NOT in unsupported list
AND operating system version NOT in missing updates list

What information is in a HIP Report?

The HIP Report does not collect personal information about users beyond the username used to log into the VPN, and it does not track websites visited or search history.

The information gathered in a HIP Report is described below:

General host information

VPN Username (typically NetID)
GlobalProtect client version
Hostname
IP address
Logon domain (typically Active Directory joined domain)
Operating system
Serial Number (not available on mobile devices)
WiFi network SSID (mobile devices only)
Whether the device is rooted/jailbroken (mobile devices only)
For devices managed by Workspace ONE, additional information may be collected from the Workspace ONE service.

Patch management information

What patch management software is installed and enabled, including most platforms’ built-in software update mechanisms
Information about missing patches

Firewall information

Information about any firewalls that are installed and/or enabled on the host.

Anti-malware information

Installed antivirus or anti-spyware software and for each product:
- The vendor and product name
- Whether the software is enabled
- Whether the software has real-time protection enabled
- The virus definition version and release date
- The last scan date/time

Disk backup information

Whether disk backup software is installed
Last backup time
Software vendor and product name

Disk encryption information

Whether disk encryption software is installed
Which drives and/or paths are configured for encryption
Software vendor and product name

Data Loss Prevention (DLP) information (Windows devices only)

Whether DLP software is installed and enabled

Device certificate information for UW-Madison owned or managed devices

Whether a UW managed device certificate is installed and information about that certificate.

Custom checks for items specified by the VPN configuration

The HIP can perform custom checks in the following areas:

Registry keys (Windows only)
Property lists (macOS only)
Process lists (Linux only)
Running operating system processes and user-space application processes

Only defined items specified in the VPN configuration are gathered by these checks. For example, the full Windows version number (e.g. '10.0.26200.6584') is gathered via a custom check.

Can I see what was in my HIP Report?

If you are using Linux, macOS, and Windows you can see most of the information your device submitted by following these steps:

Open the Palo Alto GlobalProtect client.
Click the hamburger menu button (see Figure 1).
Select Settings (see Figure 1).
Click on Host Information Profile in the left-hand navigation panel (see Figure 2).
Expand the categories in the 'Advanced Information' section to see details (see Figure 2). For security reasons, Global Protect does not display custom check information.

Figure 1