How to create a custom HIP check for a running process
29147
Created On 08/20/21 01:21 AM - Last Modified 08/25/21 20:26 PM
Objective
HIP-based policy enforcement can collect the name of running processes on the user's system. You can set security policy rules to only allow traffic from the user if their system has a certain process running. This how-to guide walks through configuring the GP Portal to collect running process names and then enforcing the requirement in security policy rules on the GP Gateway.
Environment
- GlobalProtect Agent for Windows or Mac (version 5.1+ currently supported)
- PAN-OS (version 8.1+ currently supported)
- Any Palo Alto Networks firewall operating as a GlobalProtect Portal and Gateway
Procedure
- Determine what process name is running on the user's system which you want to enforce for connections to the gateway:
- In the example below we have used the Activity Monitor in macOS to find a process named 'JamfDaemon':
- We want 'JamfDaemon' to be running, otherwise we want the GP Gateway to deny sessions from the user
- You can find similar processes running in Windows using the Task Manager:
- In the example below we have used the Activity Monitor in macOS to find a process named 'JamfDaemon':
- Configure the Portal to include this process name in the HIP report. This is configured in the Portal's Agent HIP Data Collection Tab:
-
Network > GlobalProtect > Portals > [portal config] > Agent > [agent-config] > Data Collection > Custom Checks
- Enter the process name only, as seen above, in the 'Process List' for the appropriate operating system (Windows vs. Mac).
-
- Create a HIP Object for the custom check on the GlobalProtect Gateway
-
Objects > GlobalProtect > HIP Objects > [hip-object] > Custom Checks
- Enter the same process name, as seen above, into the Custom Checks Process List and ensure the 'running' box is checked if you want the user machine to have this process running for enforcement.
-
- Add the HIP Object to a HIP Profile which will be used in security policies
- Objects > GlobalProtect > HIP Profiles
- Add the name of your new HIP object into the Match criteria of the profile, as seen above
- Objects > GlobalProtect > HIP Profiles
- Use the HIP Profile in a security policy rule (if it isn't already there)
-
Policies > Security > [security-rule] > User > HIP Profiles
- Add the HIP profile into the HIP Profiles section of the User tab, as seen above
-
Additional Information
- For custom registry checks refer to How to Configure GlobalProtect for Custom Registry Check on Windows.
- For more details on the initial deployment of HIP, Refer to HIP-based policy enforcement.