Hardware reference guide

ManualsBrandsAlto ManualsComputer equipmentBEXT 100H

141

142

143

144

145

146

147

148

149

150

GlobalProtect Administrator’s Guide 137

Use Host Information in Policy Enforcement Configure HIP-Based Policy Enforcement

Step 5 Create the HIP profiles that you plan to

use in your policies.

When you create your HIP profiles, you

can combine the HIP objects you

previously created (as well as other HIP

profiles) using Boolean logic such that

when a traffic flow is evaluated against the

resulting HIP profile it will either match

or not match. If there is a match, the

corresponding policy rule will be

enforced; if there is not a match, the flow

will be evaluated against the next rule, as

with any other policy matching criteria.

1. On the gateway (or on Panorama if you plan to share the HIP

profiles among multiple gateways), select

Objects >

GlobalProtect > HIP Profiles

and click Add.

2. Enter a descriptive

Name for the profile and optionally a

Description.

3. Click

Add Match Criteria to open the HIP Objects/Profiles

Builder.

4. Select the first HIP object or profile you want to use as match

criteria and then click add to move it over to the

Match text

box on the HIP Profile dialog. Keep in mind that if you want the

HIP profile to evaluate the object as a match only when the

criteria in the object is not true for a flow, select the

NOT check

box before adding the object.

5. Continue adding match criteria as appropriate for the profile

you are building, making sure to select the appropriate Boolean

operator radio button (

AND or OR) between each addition (and,

again, using the

NOT check box when appropriate).

6. If you are creating a complex Boolean expression, you must

manually add the parenthesis in the proper places in the

Match

text box to ensure that the HIP profile is evaluated using the

logic you intend. For example, the following HIP profile will

match traffic from a host that has either FileVault disk

encryption (for Mac OS systems) or TrueCrypt disk encryption

(for Windows systems) and also belongs to the required

Domain, and has a Symantec antivirus client installed:

7. When you are done adding match criteria, click

OK to save the

profile.

8. Repeat these steps to create each additional HIP profile you

require.

Commit your changes.

Enable HIP Checking (Continued)