Error:
An unexpected error occurred. Please click Reload to try again.
Error:
An unexpected error occurred. Please click Reload to try again.
How to create a custom HIP check for a running process - Knowledge Base - Palo Alto Networks

How to create a custom HIP check for a running process

29147
Created On 08/20/21 01:21 AM - Last Modified 08/25/21 20:26 PM


Objective


HIP-based policy enforcement can collect the name of running processes on the user's system. You can set security policy rules to only allow traffic from the user if their system has a certain process running. This how-to guide walks through configuring the GP Portal to collect running process names and then enforcing the requirement in security policy rules on the GP Gateway.

Environment


  • GlobalProtect Agent for Windows or Mac (version 5.1+ currently supported)
  • PAN-OS (version 8.1+ currently supported)
  • Any Palo Alto Networks firewall operating as a GlobalProtect Portal and Gateway


Procedure


  1. Determine what process name is running on the user's system which you want to enforce for connections to the gateway:
    • In the example below we have used the Activity Monitor in macOS to find a process named 'JamfDaemon':
      activitymonitor in macos
    • We want 'JamfDaemon' to be running, otherwise we want the GP Gateway to deny sessions from the user
    • You can find similar processes running in Windows using the Task Manager:
      TaskManager in windows
  2. Configure the Portal to include this process name in the HIP report. This is configured in the Portal's Agent HIP Data Collection Tab:
    • Network > GlobalProtect > Portals > [portal config] > Agent > [agent-config] > Data Collection > Custom Checks
      data collection tab

    • Enter the process name only, as seen above, in the 'Process List' for the appropriate operating system (Windows vs. Mac).
  3. Create a HIP Object for the custom check on the GlobalProtect Gateway
    • Objects > GlobalProtect > HIP Objects > [hip-object] > Custom Checks
      hip-object

    • Enter the same process name, as seen above, into the Custom Checks Process List and ensure the 'running' box is checked if you want the user machine to have this process running for enforcement.
  4. Add the HIP Object to a HIP Profile which will be used in security policies
    • Objects > GlobalProtect > HIP Profiles
      hip profile
    • Add the name of your new HIP object into the Match criteria of the profile, as seen above
  5. Use the HIP Profile in a security policy rule (if it isn't already there)
    • Policies > Security > [security-rule] > User > HIP Profiles
      security rule

    • Add the HIP profile into the HIP Profiles section of the User tab, as seen above


Additional Information




Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000oMQuCAM&lang=en_US%E2%80%A9&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language