Palo Alto: HIP Features - VPN, Host-Info and Firewall Security

The GlobalProtect Host Information Profile (HIP) feature can be used to collect information about the security status of the endpoints -- such as whether they have the latest security patches and antivirus definitions installed, whether they have disk encryption enabled, or whether it is running specific software you require within your department, including custom applications. This information can then be used in security policies to decide if the endpoint is allowed to access specific resources or not.

The purpose of this article is for administrators to know:

  • How GlobalProtect HIP works with your computer
  • How the Global Protect VPN uses this information
  • How to use the information in your firewall instance

Globalprotect Client:

One of the jobs of the Globalprotect client is to collect information about the host it is running on. The client submits this host information to the Globalprotect gateway upon successful connection.

The gateway matches this raw host information submitted by the client against any HIP objects or HIP profiles the firewall administrator has defined.

If it finds a match, it generates an entry in the HIP Match log.

Additionally, if it finds a HIP Profile match in a security rule, it enforces the action on the security rule. (See image for example)

HIP_SecPolicy_Example

How To Setup HIP:

Globalprotect HIP is comprised of Objects and Profiles.

Create the HIP object to match your need, keeping in mind the HIP Objects are merely building blocks to create the HIP Profiles used in security rules.


HIP_Object

When you create your HIP profiles, you can combine the HIP objects you previously created, or other HIP profiles, using Boolean logic for use when a traffic flow is evaluated.


HIP_Profile-Example

How to use HIP in your security decisions:

The best way to determine what HIP objects you need is to determine how you will use the host information you collect to enforce policy.

Whenever a user host connects to GlobalProtect, the agent presents its HIP data to the GP gateway. The gateway then uses this data to determine which HIP objects and/or HIP profiles the host matches. For each match, it generates a HIP Match log entry. Unlike a traffic log—which only creates a log entry if there is a security policy match—the HIP Match log generates an entry whenever the raw data submitted by an agent matches a HIP object and/or a HIP profile you have defined. This makes the HIP Match log a good resource for monitoring the state of the hosts on your network over time, in order to help you determine exactly what policies you believe need enforcement.

To set the new HIP Profile in security rules:

  1. Identify rules with destinations with restrictions on end-user device conditions
  2. Edit the Rule to view it's properties
  3. Open the User tab to find the area to set the HIP Profile
  4. Add the new HIP Profile under the HIP Profile setting
  5. Set the Rule Action to Deny
  6. Click OK to apply the change to the rule
  7. Repeat on all identified rules
  8. Commit the change once all rule changes have been made

You may also notify end-users on their VPN connection when their computer matches specified HIP objects. See image below for where to enable this notification on the Globalprotect Gateway configuration.


HIP_GP-Agent_HIP-Notification


Keywords:
PaloAlto Palo Alto firewall Global Protect Host Information Processing 
Doc ID:
95361
Owned by:
TCD K. in Cybersecurity
Created:
2019-10-28
Updated:
2025-05-15
Sites:
Cybersecurity Operations Center, DoIT Help Desk, Office of Cybersecurity