Amending my own request: The GlobalProtect client simply queries the updaters on the system (Windows Update, Apple Updater, and other supported system updating tools) for what updates/patches they think needs to be applied and reports that information back to the firewalls to have HIP policy applied to them. The data is basically the update and sometimes (not always) the severity information. Net: The firewalls today have no clue about the age of a given update/patch that needs to be applied, and therefore can't do a grace period. How to make it work: In the enterprise space, using Microsoft WSUS, centralized Apple Updates, etc. allows the enterprise to control the release of updates to the workstations to a schedule of the enterprise's choosing. I.E. Test updates before generally releasing. Net: If the central updating server doesn't release the updates, the workstations wont show as needing updates/patches, and the need for a grace period mostly disappears. That being said, there is STILL a need for a grace period: For Enterprise customers to have a bit of time between release from centralized update servers to everyone actually getting the patches. For BYOD or personal devices to have a bit of time between updates being released from vendors and for them to actually received and apply the patches.
... View more