Configuring Real-Time Endpoint Information Profiles
For supported software information, click here.
Real-time endpoint information profiles (RT-EIP) extend the standard EIP capabilities by enabling near-real-time security posture updates from the Versa SASE client to the gateway. EIP provides a full device security posture snapshot every 10 minutes, while RT-EIP delivers incremental security posture changes every 10 seconds, enabling rapid detection of security state changes on endpoint devices.
RT-EIP is designed for continuous compliance enforcement in zero-trust environments where immediate detection of posture drift is critical, such as when a user disables the firewall or anti-malware protection. You can use RT-EIP to do the following:
- Firewall compliance—Detect within seconds when a user disables the host firewall and restrict network access.
- Antimalware monitoring—Identify endpoints where real-time anti-malware protection is disabled.
- EDR agent verification—Ensure that endpoint security agents, such as CrowdStrike or Carbon Black, remain running.
- Certificate compliance—Monitor certificate changes on managed devices.
- Process monitoring—Track the execution of critical processes on endpoints to enforce security policies.
- Windows Registry key monitoring—Monitor Windows Registry keys and their corresponding values.
The following table provides a comparison between standard EIP and RT-EIP.
| Standard EIP | RT-EIP | |
|---|---|---|
| Default interval | 10 minutes | 10 seconds |
| Data transmission | Full posture snapshot | Incremental delta only |
| Purpose | Baseline compliance assessment | Rapid posture change detection |
| Relationship | Standalone report | Incremental report based on the last standard EIP report |
For more information about standard EIP, see Configure Endpoint Information Profiles.
RT-EIP Monitoring
RT-EIP monitors endpoint attributes and reports on changes that occur. The following table lists the fields that RT-EIP monitors, with associated EIP categories, attributes, and reported data.
| EIP Category | Sub-category | EIP Attribute | Data Reported |
|---|---|---|---|
| Management |
management_status |
Indicates whether the device is managed or unmanaged | |
| Custom | Registry |
|
List of all registry keys and their corresponding values |
| Custom | Files |
|
Full list of Windows file entries |
| Custom | Process |
|
Full list of running processes |
| Firewall |
is_running |
Running status of each installed firewall software | |
| Antimalware |
realtime_protection_status |
Status of real-time protection for each installed anti-malware software | |
| Mobile |
malware_app |
Boolean value indicating whether malware is detected on the mobile endpoint device | |
| Endpoint_security |
is_running |
Running and connection status of each installed endpoint security software | |
| Certificate |
is_valid |
Complete list of qualified certificates and all certificate fields |
Configuration
You can configure RT-EIP on the server side when you configure the secure access profile, which is pushed to the SASE client during client registration. You cannot enable RT-EIP directly from the SASE client application. For more information about configuring RT-EIP, see Create a SASE Client Configuration for Secure Client-Based Access.
To configure RT-EIP, you do the following:
- Associate a secure access profile with secure client access (SCA) rules.
- Go to Configure > Secure Services Edge > Secure Access > Client-based Access > Policy Rules.
- Click the
Add icon to create a new SCA rule or select an existing rule to edit.
- In the Create Secure Client Access Rule screen, select workflow step 7, Client Configuration.
- Click the down-arrow in the Secure Client Access Profile section, and then choose a profile. To add a new profile, click
Add New Profile. See Configure SASE Secure Client-Based Access Profiles for more information about adding new profiles.
- Configure client controls, including the RT-EIP interval, in the secure access profile.
- In the Create Secure Client Access Rule screen, select workflow step 7, Client Configuration.
- Click Customize in the Client Controls section.
- Configure the RT-EIP interval in Advanced Settings. The default interval is 10 seconds.
- Complete the secure access profile configuration as described in Create a SASE Client Configuration for Secure Client-Based Access.
After the SASE client registers with the portal, it receives the profile settings, including the RT-EIP configuration. The client sends RT-EIP events at the configured interval. The default interval is every 10 seconds. The gateway evaluates posture changes against security policies and adjusts access in real time.
Limitations
RT-EIP profiles have the following limitations:
- No software install or uninstall triggers—VOS does not support event-based RT-EIP triggers for software installation or uninstallation. If firewall software is installed or removed, an RT-EIP update is reported at the next scheduled RT-EIP interval.
- Server-side configuration only—You cannot modify the RT-EIP interval directly from the SASE client. Updates must be made in the secure access profile and pushed through policy updates.
Supported Software Information
Releases 12.2.2 (Service Release dated 2026-01-28) and later support all content described in this article.