How to create a custom HIP check for a running process

Using Host Information Profile (HIP) checks, you can enforce security policies based on the processes running on a user's system. This enables you to grant access only to endpoints that are running required applications, such as antivirus or other security software.

This guide will walk you through the two main steps:

1. Configuring the GlobalProtect Portal to collect the list of running processes.
2. Creating security policy rules on the GlobalProtect Gateway to enforce the requirement.

• GlobalProtect Agent for Windows or Mac (version 5.1+ currently supported)
• PAN-OS (version 8.1+ currently supported)
• Any Palo Alto Networks firewall operating as a GlobalProtect Portal and Gateway

1. Determine what process name is running on the user's system which you want to enforce for connections to the gateway:
   • In the example below we have used the Activity Monitor in macOS to find a process named 'JamfDaemon':
     
   • We want 'JamfDaemon' to be running, otherwise we want the GP Gateway to deny sessions from the user
   • You can find similar processes running in Windows using the Task Manager:
     
2. Configure the Portal to include this process name in the HIP report. This is configured in the Portal's Agent HIP Data Collection Tab:

   • Network > GlobalProtect > Portals > [portal config] > Agent > [agent-config] > Data Collection > Custom Checks
     

   • Enter the process name only, as seen above, in the 'Process List' for the appropriate operating system (Windows vs. Mac).
3. Create a HIP Object for the custom check on the GlobalProtect Gateway

   • Objects > GlobalProtect > HIP Objects > [hip-object] > Custom Checks
     

   • Enter the same process name, as seen above, into the Custom Checks Process List and ensure the 'running' box is checked if you want the user machine to have this process running for enforcement.
4. Add the HIP Object to a HIP Profile which will be used in security policies
   • Objects > GlobalProtect > HIP Profiles
     
   • Add the name of your new HIP object into the Match criteria of the profile, as seen above
5. Use the HIP Profile in a security policy rule (if it isn't already there)

   • Policies > Security > [security-rule] > User > HIP Profiles
     

   • Add the HIP profile into the HIP Profiles section of the User tab, as seen above

• For custom registry checks refer to How to Configure GlobalProtect for Custom Registry Check on Windows.
• For more details on the initial deployment of HIP, Refer to HIP-based policy enforcement.