Hardware reference guide
138 GlobalProtect Administrator’s Guide
Configure HIP-Based Policy Enforcement Use Host Information in Policy Enforcement
Step 6 Verify that the HIP objects and HIP
profiles you created are matching your
GlobalProtect client traffic as expected.
Note Consider monitoring HIP objects and
profiles as a means to monitor the security
state and activity of your host endpoints.
By monitoring the host information over
time you will be better able to understand
where your security and compliance
issues are and you can use this
information to guide you in creating
useful policy.
On the gateway(s) that your GlobalProtect users are connecting to,
select
Monitor > Logs > HIP Match. This log shows all of the matches
the gateway identified when evaluating the raw HIP data reported by
the agents against the defined HIP objects and HIP profiles. Unlike
other logs, a HIP match does not require a security policy match in
order to be logged.
Step 7 Enable User-ID on the source zones that
contain the GlobalProtect users that will
be sending requests that require
HIP-based access controls. You must
enable User-ID even if you don’t plan on
using the user identification feature or the
firewall will not generate any HIP Match
logs entries.
1. Select
Network > Zones.
2. Click on the
Name of the zone in which you want to enable
User-ID to open the Zone dialog.
3. Select the
Enable User Identification check box and then click
OK.
Step 8 (Optional) Configure the gateways to
collect HIP reports from the Mobile
Security Manager.
This step only applies if you are using the
GlobalProtect Mobile Security Manager
to manage mobile devices and you want
to use the extended HIP data that the
Mobile Security Manager collects in
security policy enforcement on the
gateway.
See Enable Gateway Access to the Mobile Security Manager for
instructions.
Enable HIP Checking (Continued)