Configure HIP Process Remediation

1. Set up custom process checks.

   The remediation scripts you write should check whether the processes you have set up in the Custom Checks are running and, if not, execute the script and start the process.
2. Configure a HIP remediation timeout on the portal.

   1. Select NetworkGlobalProtectPortals.
   2. Select the portal configuration to which you are adding the agent configuration, and then select the Agent tab.
   3. Select the agent configuration that you want to modify, or Add a new one.
   4. Select the App tab.
   5. To enable the HIP remediation feature, set a HIP Remediation Process Timeout (sec).

      By default, this field is set to 0, indicating that the feature is disabled. Enter a value from 1-600 seconds to indicate the amount of time you want to allow for the remediation script to finish.

   6. Click OK twice to save your app and portal configurations.
   7. Commit the changes.
3. Deploy the remediation script to your endpoints using mobile device management (MDM).

   As a best practice, use standard formats for the scripts you deploy (for example, deploy shell scripts on macOS endpoints and batch scripts on Windows endpoints). The name of the script is case sensitive and must use the predefined name and location as follows:

   • Windows
     Location: \Program Files\Palo Alto Networks\GlobalProtect\
     Naming convention: hip-remediation-script.bat
   • macOS
     Location: /Applications/GlobalProtect.app/Contents/Resources/
     Naming convention: hip-remediation-script.sh
4. (Optional) Customize how the script runs on the endpoint by setting a checksum and/or a custom error message and defining the context in which the script will run.

   • macOS
     1. Calculate the sha 256 checksum: shasum -a 256 hip-remediation-script.sh.
     2. Edit the following values in the plist as needed:
        • checksum—Specify the checksum you generated
        • error-msg—Enter the custom error message you want to display to the end user when remediation fails
        • success-msg—Enter the custom error message you want to display to the end user when remediation succeeds
        • context—set to admin or user to specify the context in which to run the remediation script. By default, the script runs in the user context.
     3. Replace the GlobalProtect plist by copying the modified.plist to overwrite the default plist: sudo cp modified.plist /Library/Preferences/com.paloaltonetworks.GlobalProtect.settings.plist.

     4. Stop/start PanGPS:
        launchctl stop com.paloaltonetworks.gp.pangps
        launchctl start com.paloaltonetworks.gp.pangps
   • Windows
     1. Create the checksum for the remediation script: certutil -hashfile hip-remediation-script.bat HASH256 .
     2. Deploy the registry setting using the Windows default registry editor.
        In the Windows Registry, go to: \HKEY_LOCAL_MACHINE > SOFTWARE> Palo Alto Networks > GlobalProtect > Settings > hip-remediation-script and set the following keys:In the Windows Registry, go to: \HKEY_LOCAL_MACHINE > SOFTWARE> Palo Alto Networks > GlobalProtect > Settings > hip-remediation-script and set the following keys:

        • checksum—Specify the checksum you generated
        • error-msg—Enter the custom error message you want to display to the end user when remediation fails
        • success-msg—Enter the custom error message you want to display to the end user when remediation succeeds
        • context—set to admin or user to specify the context in which to run the remediation script. By default, the script runs in the user context.
     3. To restart GlobalProtect, in the Windows Services screen, find the PanGPS service and click Restart the service.