How Do Users Know if Their Systems are Compliant?
Focus
Focus
GlobalProtect

How Do Users Know if Their Systems are Compliant?

Table of Contents
End-of-Life (EoL)

How Do Users Know if Their Systems are Compliant?

By default, end users are not given any information about policy decisions that were made as a result of HIP-enabled security rule enforcement. However, you can enable this functionality by configuring HIP notification messages to display when a particular HIP profile is matched and/or not matched.
The decision as to when to display a message (that is, whether to display it when the user’s configuration matches a HIP profile in the policy or when it doesn’t match it), depends largely on your policy and what a HIP match (or non-match) means for the user. That is, does a match mean they are granted full access to your network resources? Or does it mean they have limited access due to a non-compliance issue?
For example, consider the following scenarios:
  • You create a HIP profile that matches if the required corporate antivirus and anti-spyware software packages are not installed. In this case, you might want to create a HIP notification message for users who match the HIP profile, and tell them that they need to install the software (and, optionally, providing a link to the file share where they can access the installer for the corresponding software).
  • You create a HIP profile that matches if those same applications are installed. In this case, you might want to create the message for users who do not match the profile, and direct them to the location of the install package.
See Configure HIP-Based Policy Enforcement for details on how to create HIP objects and HIP profiles and use in defining HIP notification messages.