Purpose
This document explains how to configure Endpoint Information Profiles (EIP) and how they can be used within a SASE deployment.
Overview
Endpoint Information Profiles (EIPs) help enforce security compliance on endpoint devices before they are allowed to access enterprise applications and resources. They provide visibility into endpoint posture and ensure devices meet organizational security requirements.
An EIP deployment is typically built using the following three components for each tenant:
- EIP agent profiles—Define the conditions that the SASE client uses to extract information from endpoint devices. When you configure a SASE portal policy, you associate the agent profile with the enforcement action in the policy.
- EIP Objects – Define the validation criteria used to evaluate the data reported by endpoint devices.
- EIP Profiles – Group one or more EIP objects into a single profile that can be used for posture assessment, monitoring, and policy enforcement.
Endpoint compliance can be enforced by attaching the EIP profile to security policies or secure access gateway policies.
Key Considerations
- Verify that the endpoint is running a supported and compliant SASE client version.
- Portal re-registration occurs automatically when the portal lifetime expires, and the EIP agent profile is delivered during the registration process.
- By Default, EIP Posture information is sent every 10 minutes to gateways . We can modify this value under client controls "Posture check interval time". Posture check interval defines how often EIP data will be sent to gateways.
- EIP data collection timer is half of the posture check interval. It should be an integer value so minimum posture check interval can be set to 2 minutes. If you set posture check interval to 1 minute then SASE client will throw error during connection.
- SASE client will send full update (EIP agent collected data) to gateway not incremental data because we don't do any caching on the gateway.
- If there is no change in endpoint posture then we will not send any EIP data to gateway. But, data will be collected on SASE client. We compare the hash of EIP data to determine if posture is changed.
- "Versa recommended" EIP agent profile is built-in with SASE client. So, it will collect all info defined in Versa recommended agent profile before registration. (Pre-registration phase)
- Portal policy can be created with EIP profile as the matching condition based on Versa recommended EIP agent profile. EIP agent profile is configured only under portal policy.
Lab Scenario
In this example, access will be blocked when a VNC application is detected as running on the endpoint and allowed when the application is not active.
Step 1: Configure EIP Agent Profiles
In an EIP agent profile, for the individual security-related categories, you configure EIP agent profiles to define when the SASE client should extract the information from endpoint devices. Secure access portal policy rules must have EIP agent profile configuration for SASE client to export EIP data to gateway.
Select Objects and Connectors > Objects > Custom Objects > SASE Client> EIP Agent Profiles in the left menu bar.
Extract the remote control software configuration, installation, or running status.
Step 2: Configure EIP Objects
An EIP object validation is an AND operation among all the configured matching criteria parameters.
Configure EIP object with running status as false for remote control category. False—Perform validation, and if the endpoint reports the status as False, the match is successful.
Configure EIP object with running status as true for remote control category.
Step 3: Configure EIP Profiles
Select Objects & Connectors > Objects > Custom Objects > EIP Profiles in the left menu bar.
Select the General tab, and enter information for the following fields. You must create at least one rule. Otherwise, the configuration commit fails. In an EIP profile, for a given category in a rule, match on each EIP object (user-defined or predefined) is an OR operation. That is, if any one of the EIP object under that category matches, is considered as a successful match.
Note: An EIP profile with multiple rules are evaluated in order, starting with the first rule. The EIP profile match is considered as a successful match when the first rule is matched, and ends the EIP profile match search. This is an OR operation among multiple rules of an EIP profile.
We have configured EIP Posture Check Interval to 2 minutes for testing purposes. It means EIP data will be collected on endpoint every 1 minute and sent to gateways every 2 minutes.
Associate an EIP Agent Profile with a Secure Access Portal Policy
To enforce endpoint agent profile, you associate predefined or user-defined EIP agent profiles with secure access gateway portal policy rules. Secure access portal or secure access gateway policy rules do not have an implicit deny.
Step 5: Associate the EIP Profile with Policy Rules
To enforce endpoint profile, you associate predefined or user-defined EIP profiles with SD-WAN policy rules, decryption policy rules, security policy rules and secure access gateway policy rules.
Note: For policy rules such as NGFW access policy rule and secure access gateway policy rule, if any of the configured EIP profile is a successful match, the policy rule is considered as successful.
Validation
Registration will be successful because we are not matching against any EIP profile at portal level.
Check the status of VNC server program. As it is in running state so connection will be denied to gateway.
EIP data sent by SASE client
EIP data received by gateway
vsh connect vsmd
show saccess session history all (In 22.1.2 this CLI command is changed to show saccess session history gateway all)
show saccess session history id <number> (In 22.1.2 this CLI command is changed to show saccess session history gateway id 108 )
Now, stop the VNCserver and test the connection again. Wait for at least 2 minutes before connecting again as posture check interval was set to 2 minutes.
Connect to GW again
We can also check the logs on analytics for EIP.
