Palo Alto: HIP Features - VPN, Host-Info and Firewall Security

The GlobalProtect Host Information Profile (HIP) feature can be used to collect information about the security status of the endpoints -- such as whether they have the latest security patches and antivirus definitions installed, whether they have disk encryption enabled, or whether it is running specific software you require within your department, including custom applications. This information can then be used in security policies to decide if the endpoint is allowed to access specific resources or not. The purpose of this article is:
  • How GlobalProtect HIP works with your computer
  • How the Global Protect VPN uses this information
  • How to use the information in your firewall instance
  • GlobalProtect Agent:
  • One of the jobs of the GlobalProtect agent is to collect information about the host it is running on. The agent then submits this host information to the GlobalProtect gateway upon successful connection.
  •  
  • The gateway matches this raw host information submitted by the agent against any HIP objects and HIP profiles the firewall administrator has defined.

      • If it finds a match, it generates an entry in the HIP Match log.
      • Additionally, if it finds a HIP Profile match in a policy rule, it enforces the corresponding security policy. (See image for example)
    HIP_SecPolicy_Example
  • How To Setup HIP:
  • GlobalProtect HIP is comprised of Objects and Profiles.
  • Create the HIP object to match your need, keeping in mind the HIP Objects are merely building blocks to create the HIP Profiles used in security policies.

  • HIP_Object
  • When you create your HIP profiles, you can combine the HIP objects you previously created, or other HIP profiles, using Boolean logic which will be matched or not matched when a traffic flow is evaluated.

  • HIP_Profile-Example
  • How to use HIP in your Security decisions:
  • The best way to determine what HIP objects you need is to determine how you will use the host information you collect to enforce policy.
  • Whenever a user host connects to GlobalProtect, the agent presents its HIP data to the GP gateway. The gateway then uses this data to determine which HIP objects and/or HIP profiles the host matches. For each match, it generates a HIP Match log entry. Unlike a traffic log—which only creates a log entry if there is a security policy match—the HIP Match log generates an entry whenever the raw data submitted by an agent matches a HIP object and/or a HIP profile you have defined. This makes the HIP Match log a good resource for monitoring the state of the hosts on your network over time, in order to help you determine exactly what policies you believe need enforcement.
  • To set the new HIP Profile in security rules:
        • Identify rules with networks requiring protections from EoL Operating Systems
        • Edit the Rule to view it's properties
        • Open the User tab to find the area to set the HIP Profile
        • Add the new HIP Profile under the HIP Profile setting
        • Set the Rule Action to Deny
        • Click OK to apply the change to the rule
        • Repeat on all identified rules
        • Commit the change once all rule changes have been made
  • You may also notify end-users on their VPN connection when their computer matches specified HIP objects. See image below for where to enable this notification on the GlobalProtect Gateway configuration.

  • HIP_GP-Agent_HIP-Notification


Keywords:
PaloAlto Palo Alto firewall Global Protect Host Information Processing 
Doc ID:
95361
Owned by:
Vincent A. in Cybersecurity
Created:
2019-10-28
Updated:
2022-11-02
Sites:
Cybersecurity Operations Center, DoIT Help Desk, Office of Cybersecurity