How to Configure HIP Custom Check to Match When Registry Key is Missing or has Different Value

Steps

1. Configure a HIP object using the specified registry key, registry value and value data as seen in the example below:
   The registry key in this example is: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Applications\snapshot.exe .
   The Registry Value is: LOADCOLUMNHANDLER and Value data: 123
   From the WebGUI, go to Object > GlobalProtect > HIP Objects, click Add > Custom Checks > Registry Key.
   
2. Configure HIP Profile using the HIP object created above but using 'and' and 'not' operators as seen below:
   For this example there have been two profiles created. One that will match the registry (HIP_registry_match) and the other (HIP_registry_profile_NO_match) when it does not match.
   The second profile was created with a match when the registry key does not exist or the data value is not equal to the value data as seen above (123).
   Go to Object > GlobalProtect > HIP Profile, click Add and Specify Name and select Add Match Criteria.
   
3. In GlobalProtect Portal configuration add the same registry key and registry value that was configured in the HIP object.
   Go to Network > GlobalProtect > Portals and click Add > Client Configuration > Data Collection > Custom Checks
   The following example shows a configured Windows custom check.
   
4. Configure Security Policy and add the HIP Profile configured above. In the following example there are two rules added. The first rule uses the HIP profile "HIP_registry_profile_NO_match" and the rule below that uses the HIP Profile "HIP_registry_match". The first rule is applied when there is not a match a match, denying traffic. The second rule applies when it does match:
   

owner: rborda