topic Re: HIP profile is not working with WAN rule in GlobalProtect Discussions

HIP profile is not working with WAN rule

omertaskin — Tue, 12 Sep 2023 19:09:31 GMT

Hello valued community, unfortunately, I am still seeking answers for my issue.

I have an HIP profile that works when defined as an example for someone establishing a VPN connection using RDP. However, I am unable to achieve results when applied to a WAN rule.

Precisely, what I want to achieve is this: If it doesn't meet the conditions specified in HIP, it should not establish a VPN connection. Based on the information I gathered through my research, it seems I need to apply the HIP profile to the WAN rule.

When I test it, it does not seem to apply to that rule conclusively. It passes through to the next rule without HIP checks, which I have created as a backup.

What do you think I should do? I am eagerly awaiting the responses of esteemed professionals. Thank you.

Re: HIP profile is not working with WAN rule

TomYoung — Tue, 12 Sep 2023 23:44:34 GMT

Hi @omertaskin ,

A failed HIP check does NOT cause GlobalProtect (GP) to disconnect.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HBMYCA4&lang=en_US%E2%80%A9

Instead, the HIP Profile is used in a security policy rule to allow access. To deny access to traffic that does not match, do not have any rule with the GP source zone that allows traffic without a HIP Profile.

https://docs.paloaltonetworks.com/globalprotect/9-1/globalprotect-admin/host-information/configure-hip-based-policy-enforcement

It your GP clients do not match your rule with a HIP Profile, they may not be matching. Here is how you can troubleshoot.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000boP1CAI

Thanks,

Tom