Objects > GlobalProtect > HIP Profiles
Table of Contents
Expand all | Collapse all
-
- Objects > Addresses
- Objects > Address Groups
- Objects > Regions
- Objects > Dynamic User Groups
- Objects > Application Groups
- Objects > Application Filters
- Objects > Services
- Objects > Service Groups
- Objects > Devices
- Objects > External Dynamic Lists
- Objects > Custom Objects > Spyware/Vulnerability
- Objects > Custom Objects > URL Category
- Objects > Security Profiles > Antivirus
- Objects > Security Profiles > Anti-Spyware Profile
- Objects > Security Profiles > Vulnerability Protection
- Objects > Security Profiles > File Blocking
- Objects > Security Profiles > WildFire Analysis
- Objects > Security Profiles > Data Filtering
- Objects > Security Profiles > DoS Protection
- Objects > Security Profiles > Mobile Network Protection
- Objects > Security Profiles > SCTP Protection
- Objects > Security Profile Groups
- Objects > Log Forwarding
- Objects > Authentication
- Objects > Decryption > Forwarding Profile
- Objects > Schedules
-
-
- Firewall Interfaces Overview
- Common Building Blocks for Firewall Interfaces
- Common Building Blocks for PA-7000 Series Firewall Interfaces
- Tap Interface
- HA Interface
- Virtual Wire Interface
- Virtual Wire Subinterface
- PA-7000 Series Layer 2 Interface
- PA-7000 Series Layer 2 Subinterface
- PA-7000 Series Layer 3 Interface
- Layer 3 Interface
- Layer 3 Subinterface
- Log Card Interface
- Log Card Subinterface
- Decrypt Mirror Interface
- Aggregate Ethernet (AE) Interface Group
- Aggregate Ethernet (AE) Interface
- Network > Interfaces > VLAN
- Network > Interfaces > Loopback
- Network > Interfaces > Tunnel
- Network > Interfaces > SD-WAN
- Network > VLANs
- Network > Virtual Wires
-
- Network > Network Profiles > GlobalProtect IPSec Crypto
- Network > Network Profiles > IPSec Crypto
- Network > Network Profiles > IKE Crypto
- Network > Network Profiles > Monitor
- Network > Network Profiles > Interface Mgmt
- Network > Network Profiles > QoS
- Network > Network Profiles > LLDP Profile
- Network > Network Profiles > SD-WAN Interface Profile
-
-
- Device > Setup
- Device > Setup > Management
- Device > Setup > Interfaces
- Device > Setup > Telemetry
- Device > Setup > Content-ID
- Device > Setup > WildFire
- Device > Setup > DLP
- Device > Log Forwarding Card
- Device > Config Audit
- Device > Administrators
- Device > Admin Roles
- Device > Access Domain
- Device > Authentication Sequence
- Device > Device Quarantine
-
- Security Policy Match
- QoS Policy Match
- Authentication Policy Match
- Decryption/SSL Policy Match
- NAT Policy Match
- Policy Based Forwarding Policy Match
- DoS Policy Match
- Routing
- Test Wildfire
- Threat Vault
- Ping
- Trace Route
- Log Collector Connectivity
- External Dynamic List
- Update Server
- Test Cloud Logging Service Status
- Test Cloud GP Service Status
- Device > Virtual Systems
- Device > Shared Gateways
- Device > Certificate Management
- Device > Certificate Management > Certificate Profile
- Device > Certificate Management > OCSP Responder
- Device > Certificate Management > SSL/TLS Service Profile
- Device > Certificate Management > SCEP
- Device > Certificate Management > SSL Decryption Exclusion
- Device > Certificate Management > SSH Service Profile
- Device > Response Pages
- Device > Server Profiles
- Device > Server Profiles > SNMP Trap
- Device > Server Profiles > Syslog
- Device > Server Profiles > Email
- Device > Server Profiles > HTTP
- Device > Server Profiles > NetFlow
- Device > Server Profiles > RADIUS
- Device > Server Profiles > TACACS+
- Device > Server Profiles > LDAP
- Device > Server Profiles > Kerberos
- Device > Server Profiles > SAML Identity Provider
- Device > Server Profiles > DNS
- Device > Server Profiles > Multi Factor Authentication
- Device > Local User Database > Users
- Device > Local User Database > User Groups
- Device > Scheduled Log Export
- Device > Software
- Device > Dynamic Updates
- Device > Licenses
- Device > Support
- Device > Policy Recommendation
-
- Network > GlobalProtect > MDM
- Network > GlobalProtect > Clientless Apps
- Network > GlobalProtect > Clientless App Groups
- Objects > GlobalProtect > HIP Profiles
-
- Use the Panorama Web Interface
- Context Switch
- Panorama Commit Operations
- Defining Policies on Panorama
- Log Storage Partitions for a Panorama Virtual Appliance in Legacy Mode
- Panorama > Setup > Interfaces
- Panorama > High Availability
- Panorama > Administrators
- Panorama > Admin Roles
- Panorama > Access Domains
- Panorama > Device Groups
- Panorama > Plugins
- Panorama > Log Ingestion Profile
- Panorama > Log Settings
- Panorama > Server Profiles > SCP
- Panorama > Scheduled Config Export
End-of-Life (EoL)
Objects > GlobalProtect > HIP Profiles
Select ObjectsGlobalProtectHIP Profiles to
create the HIP profiles—a collection of HIP objects to be evaluated
together either for monitoring or for Security policy enforcement—that
you use to set up HIP-enabled security policies. When creating HIP
profiles, you can combine the HIP objects you previously created
(as well as other HIP profiles) by using Boolean logic, so that
when a traffic flow is evaluated against the resulting HIP profile,
it will either match or not match. Upon a match, the corresponding
policy rule is enforced; if there is no match, the flow is evaluated
against the next rule (as with any other policy matching criteria).
To create a HIP profile, click Add. The
following table provides information on what to enter in the fields
in the HIP Profile dialog. For more detailed information on setting
up GlobalProtect and the workflow for creating HIP-augmented security
policies, refer to Configure HIP-Based Policy Enforcement in
the GlobalProtect Administrator’s Guide.
HIP Profile Settings | Description |
|---|---|
Name | Enter a name for the profile (up to 31 characters).
The name is case-sensitive and must be unique. Use only letters,
numbers, spaces, hyphens, and underscores. |
Description | (Optional) Enter a description. |
Shared | Select Shared to
make the current HIP profile available to:
After
you save the profile, you cannot change its Shared setting. Select ObjectsGlobalProtectHIP Profiles to view the current Location. |
Disable override (Panorama only) | Controls override access to the HIP profile
in device groups that are descendants of the Device Group selected
in the Objects tab. Select this option if
you want to prevent administrators from creating local copies of
the profile in descendant device groups by overriding its inherited
values. This option is cleared by default (override is enabled). |
Match | Click Add Match Criteria to
open the HIP Objects/Profiles Builder. Select the first HIP
object or profile you want to use as match criteria and then add
( 
Continue adding match criteria as appropriate
for the profile you are building, and ensure you select the appropriate
Boolean operator (AND or OR)
between each addition (and using the NOT operator
when appropriate). To create a complex Boolean expression,
you must manually add the parenthesis in the proper places in the Match text
box to ensure that the HIP profile is evaluated using the intended
logic. For example, the following expression indicates that the
HIP profile will match traffic from a host that has either FileVault
disk encryption (Mac OS systems) or TrueCrypt disk encryption (Windows
systems) and also belongs to the required Domain and has a
Symantec antivirus client installed: ((“MacOS” and “FileVault”) or (“Windows” and “TrueCrypt”)) and “Domain” and “SymantecAV” When
you have finished adding the objects and profiles to the new HIP
profile, click OK. |