What Data Does the GlobalProtect App Collect?
Focus
Focus
GlobalProtect

What Data Does the GlobalProtect App Collect?

Table of Contents

What Data Does the GlobalProtect App Collect?

The GlobalProtect app collects data about security packages and host information installed on the device, such as patch management, firewalls, anti-malware software, and disk backup and encryption.
By default, the GlobalProtect app collects vendor-specific data about the end user security packages that are running on the endpoint (as compiled by the OPSWAT global partnership program) and reports this data to the GlobalProtect gateway for policy enforcement. See the GlobalProtect 5.1 OPSWAT Support table, GlobalProtect 5.2 OPSWAT Support table, GlobalProtect 6.0 OPSWAT Support table, or GlobalProtect 6.1 OPSWAT Support table for details about the third-party vendor products that GlobalProtect can detect using the specified OPSWAT SDK.
Starting with GlobalProtect app 5.2.6, support for OPSWAT SDK V3 (end-of-life) will be removed and the GlobalProtect app will only use OPSWAT SDK V4. Vendor and product names are based on OPSWAT SDK V4. GlobalProtect app 5.2.6 and later release HIP check functionality will not work with PAN-OS 8.0 (end-of-life) and earlier releases (end-of-life). GlobalProtect app 5.2.6 and later release HIP check functionality will work as expected with PAN-OS 8.1 and later releases.
Because security software must continually evolve to ensure end user protection, your GlobalProtect gateway licenses also enable you to receive dynamic updates for the GlobalProtect data file with the latest patch and software versions available for each package.
The GlobalProtect data file contains the list of anti-malware products with corresponding lists of historical versions and definition update versions for each product. GlobalProtect data file is not used to populate the details of products such as the list of operating systems and anti-malware software while configuring HIP Objects on the firewall. These details are obtained through regular app or threat content updates.
For example, the GlobalProtect data file is used to:
  • Match the HIP object for the specified definition version of the specific product using the Within option. For example Within = 4, which would imply the latest version and three versions below would be acceptable.
  • Match the latest product version using the Within option. For example,Within =1 (one is grayed out for version matching as the only available option).
To be able to perform comparisons as listed above, the firewall should have an up to date GlobalProtect data file.
The GlobalProtect Data file is used for specific HIP Objects when you use the Within condition while configuring HIP objects on the firewall.
By default, the app collects data about the following categories of information to help identify the security state of the host:
Table: Data Collection Categories
Category
Data Collected
General
Information about the host itself, including the hostname, logon domain, operating system, app version, and, for Windows systems, the domain to which the machine belongs.
For Windows endpoints’ domain, the GlobalProtect app collects the domain defined for ComputerNameDnsDomain, which is the DNS domain assigned to the local computer or the cluster associated with the local computer. This data is displayed for the Windows endpoints’ Domain in the HIP Match log details (MonitorLogsHIP Match).
Mobile Device
Information about the mobile device, including the device name, logon domain, operating system, app version, and information about the network to which the device is connected. In addition, GlobalProtect collects information on whether the device is rooted or jailbroken.
To collect mobile device attributes and utilize them in HIP enforcement policies, GlobalProtect requires an MDM server. GlobalProtect currently supports HIP integration with the Workspace ONE MDM server.
For devices managed by Workspace ONE, host information collected by the GlobalProtect app can be supplemented with additional information collected from the Workspace ONE service. Refer to Configure Windows User-ID Agent to Collect Host Information for a list of attributes that can be retrieved from Workspace ONE.
Patch Management
Information about any patch management software that is enabled and/or installed on the host and whether there are any missing patches.
If you want to configure the Severity value for missing patches as a match condition in your HIP object (ObjectsGlobalProtectHIP Objects<hip-object>Patch ManagementCriteria), use the following mappings between the GlobalProtect severity values and the OPSWAT severity ratings to understand what each value means:
  • 0—Low
  • 1—Moderate
  • 2—Important
  • 3—Critical
Firewall
Information about any firewalls that are installed and/or enabled on the host.
Anti-Malware
Information about any antivirus or anti-spyware software that is enabled and/or installed on the endpoint, whether or not real-time protection is enabled, the virus definition version, last scan time, and the vendor and product name.
GlobalProtect uses OPSWAT technology to detect and assess third-party security applications on the endpoint. By integrating with the OPSWAT OESIS framework, GlobalProtect enables you to assess the compliance state of the endpoint. For example, you can define HIP objects and HIP profiles that verify the presence of a specific version of antivirus software from a specific vendor on the endpoint and also ensure that it has the latest virus definition files.
OPSWAT is unable to detect the following Anti-Malware information for the Gatekeeper security feature on macOS endpoints:
  • Engine Version
  • Definition Version
  • Date
  • Last Scanned
Disk Backup
Information about whether disk backup software is installed, the last backup time, and the vendor and product name of the software.
Disk Encryption
Information about whether disk encryption software is installed, which drives and/or paths are configured for encryption, and the vendor and product name of the software.
(Requires GlobalProtect app 5.2) If you want to view the encryption status of all drives and/or paths on the endpoint, you must manually enter All as the Encrypted Locations when creating the HIP object for the Disk Encryption category. To verify if all drives or paths are encrypted, you must set the Encrypted Locations to All and set the State to Is encrypted from the drop-down.
Data Loss Prevention
Information about whether data loss prevention (DLP) software is installed and/or enabled to prevent sensitive corporate information from leaving the corporate network or from being stored on a potentially insecure device. This information is only collected from Windows endpoints.
Certificate
Information about the machine certificate installed on the endpoint.
Custom Checks
Information about whether specific registry keys (Windows only), property lists (plists) (macOS only), process lists (Linux only), OR operating system processes and user-space application processes are present.
You can exclude certain categories of information from being collected on certain hosts to save CPU cycles and improve response time. To do this, create an agent configuration on the portal, and then exclude the categories you are not interested in (NetworkGlobalProtectPortals<portal-config>Agent<agent-config>Data Collection). For example, if you do not plan on creating policies based on whether or not endpoints run disk backup software, you can exclude that category to prevent the app from collecting any information about disk backup.
You can also exclude information from being collected on personal endpoints in order to provide user privacy. For example, you can exclude the list of apps installed on endpoints that are not managed by a third-party mobile device manager.