Whenever an endpoint connects to GlobalProtect, the app presents its HIP data to the gateway. The gateway then uses this data to determine which HIP objects and/or HIP profiles the host matches. For each match, it generates a HIP Match log entry. Unlike a traffic log—which only creates a log entry if there is a policy match—the HIP Match log generates an entry whenever the raw data submitted by an app matches a HIP object and/or a HIP profile you have defined. This makes the HIP Match log a good resource for monitoring the state of the endpoints in your network over time—before attaching your HIP profiles to security policies—in order to help you determine exactly what policies you believe need enforcement.

Because a HIP Match log is only generated when the host state matches a HIP object you have created, for full visibility into the endpoint state, you may need to create multiple HIP objects to log HIP matches for endpoints that are in compliance with a particular state (for security policy enforcement purposes) as well as endpoints that are non-compliant (for visibility). For example, suppose you want to prevent an endpoint that does not have antivirus or anti-spyware software installed from connecting to the network. In this case, you would create a HIP object that matches hosts that have a particular antivirus or anti-spyware software installed. By including this object in a HIP profile and attaching it to the security policy rule that allows access from your VPN zone, you can ensure that only hosts that are protected with antivirus or anti-spyware software can connect.

In this example, you would not be able to view which endpoints are not in compliance with this requirement in the HIP Match log. If you want to view a log for endpoints that do not have antivirus or anti-spyware software installed so that you can follow up with these users, you can also create a HIP object that matches the condition where the antivirus or anti-spyware software is not installed. Because this object is only required for logging purposes, you do not need to add it to a HIP profile or attach it to a security policy rule.