https://live.paloaltonetworks.com/t5/general-topics/user-id-rule-to-bypass-hip-check-not-matching/m-p/410595#M92608 <P>Hi all,</P><P>&nbsp;</P><P>I have a similar problem. I have some users connect by global protect with HIP Profile that sometimes they have match in one rule and othertimes they have match in another rules.&nbsp;</P><P>&nbsp;</P><P>I still have two rules, one with HIP and one without HIP profile for this reason.</P><P>&nbsp;</P><P>I want to delete the rule without HIP profile but not for the moment because I have the doubt that if I don't have it... the traffic can go down as it is still maching on both rules</P><P><BR />Can anyone help me?</P><P>&nbsp;</P><P>&nbsp;</P> Fri, 04 Jun 2021 08:36:45 GMT BigPalo 2021-06-04T08:36:45Z https://live.paloaltonetworks.com/t5/general-topics/user-id-rule-to-bypass-hip-check-not-matching/m-p/351441#M87069 <P>Hi all,</P><P>&nbsp;</P><P>I have a rule to allow certain Global Protect users DNS and RDP traffic by matching the user-id. However, even though it looks like the traffic should match when I view the traffic log it's not?! For some users the rule works fine but others it doesn't match and I can't work it out.</P><P>&nbsp;</P><P>Any help would be greatly appreciated <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P>&nbsp;</P><P>Kevin.</P> Wed, 23 Sep 2020 14:08:48 GMT https://live.paloaltonetworks.com/t5/general-topics/user-id-rule-to-bypass-hip-check-not-matching/m-p/351441#M87069 adrianflux 2020-09-23T14:08:48Z https://live.paloaltonetworks.com/t5/general-topics/user-id-rule-to-bypass-hip-check-not-matching/m-p/351631#M87086 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/64161">@adrianflux</a>,</P> <P>Would really need to look at the logs to figure this out. You've verified that the user-id is recorded in the denied traffic logs and the rulebase entry properly passes when you do a&nbsp;<EM>test security-policy-match?&nbsp;</EM>Can you give us an output of the security entry and an example of one of the logs that isn't currently working?&nbsp;</P> Thu, 24 Sep 2020 02:04:15 GMT https://live.paloaltonetworks.com/t5/general-topics/user-id-rule-to-bypass-hip-check-not-matching/m-p/351631#M87086 BPry 2020-09-24T02:04:15Z https://live.paloaltonetworks.com/t5/general-topics/user-id-rule-to-bypass-hip-check-not-matching/m-p/351666#M87092 <P>Hi ,</P><P>&nbsp;</P><P>Check the user-id how is formatted in the logs like :&nbsp; domain\bob</P><P>Then check the traffic logs that you interested and check there the user , it should be something else and that is the reason why&nbsp;</P><P>Then check the security policy to see if you have domain\bob like the user ID .</P><P>The HIP collection is taking the username and domain.&nbsp;</P> Thu, 24 Sep 2020 06:57:39 GMT https://live.paloaltonetworks.com/t5/general-topics/user-id-rule-to-bypass-hip-check-not-matching/m-p/351666#M87092 GeorgiosFakis 2020-09-24T06:57:39Z https://live.paloaltonetworks.com/t5/general-topics/user-id-rule-to-bypass-hip-check-not-matching/m-p/410595#M92608 <P>Hi all,</P><P>&nbsp;</P><P>I have a similar problem. I have some users connect by global protect with HIP Profile that sometimes they have match in one rule and othertimes they have match in another rules.&nbsp;</P><P>&nbsp;</P><P>I still have two rules, one with HIP and one without HIP profile for this reason.</P><P>&nbsp;</P><P>I want to delete the rule without HIP profile but not for the moment because I have the doubt that if I don't have it... the traffic can go down as it is still maching on both rules</P><P><BR />Can anyone help me?</P><P>&nbsp;</P><P>&nbsp;</P> Fri, 04 Jun 2021 08:36:45 GMT https://live.paloaltonetworks.com/t5/general-topics/user-id-rule-to-bypass-hip-check-not-matching/m-p/410595#M92608 BigPalo 2021-06-04T08:36:45Z https://live.paloaltonetworks.com/t5/general-topics/user-id-rule-to-bypass-hip-check-not-matching/m-p/410602#M92611 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/85066">@BigPalo</a>&nbsp;are there different HIP profiles specified in the two security policy rules?</P> Wed, 02 Jun 2021 15:41:20 GMT https://live.paloaltonetworks.com/t5/general-topics/user-id-rule-to-bypass-hip-check-not-matching/m-p/410602#M92611 Remo 2021-06-02T15:41:20Z https://live.paloaltonetworks.com/t5/general-topics/user-id-rule-to-bypass-hip-check-not-matching/m-p/410605#M92612 <P>No, We have only one&nbsp;<SPAN>HIP profiles specified in the one security policy rule</SPAN></P><P>&nbsp;</P><P><SPAN>The other rule does not have HIP profile applied</SPAN></P> Wed, 02 Jun 2021 15:43:11 GMT https://live.paloaltonetworks.com/t5/general-topics/user-id-rule-to-bypass-hip-check-not-matching/m-p/410605#M92612 BigPalo 2021-06-02T15:43:11Z https://live.paloaltonetworks.com/t5/general-topics/user-id-rule-to-bypass-hip-check-not-matching/m-p/410607#M92614 <P>Then it looks like the HIP profile does not match all the time. What do you check with that HIP profile?</P> Wed, 02 Jun 2021 15:44:49 GMT https://live.paloaltonetworks.com/t5/general-topics/user-id-rule-to-bypass-hip-check-not-matching/m-p/410607#M92614 Remo 2021-06-02T15:44:49Z https://live.paloaltonetworks.com/t5/general-topics/user-id-rule-to-bypass-hip-check-not-matching/m-p/410738#M92636 <P>Hi,</P><P>&nbsp;</P><P>Thanks for your answer...but I think that it is not the problem because users sometimes match in correct rule If we had HIP profile wrong it never work fine , no?</P><P>&nbsp;</P> Thu, 03 Jun 2021 06:54:06 GMT https://live.paloaltonetworks.com/t5/general-topics/user-id-rule-to-bypass-hip-check-not-matching/m-p/410738#M92636 BigPalo 2021-06-03T06:54:06Z https://live.paloaltonetworks.com/t5/general-topics/user-id-rule-to-bypass-hip-check-not-matching/m-p/410752#M92638 <P>I was thinking about the HIP profile because of the topic here where you posted this comment. And also because in the screenshot everything is exactly the same. Another possibility would be an URL category in the rule which makes sometime match one and then again the other rule.</P> Thu, 03 Jun 2021 08:03:38 GMT https://live.paloaltonetworks.com/t5/general-topics/user-id-rule-to-bypass-hip-check-not-matching/m-p/410752#M92638 Remo 2021-06-03T08:03:38Z https://live.paloaltonetworks.com/t5/general-topics/user-id-rule-to-bypass-hip-check-not-matching/m-p/410787#M92644 <P>When the user disconnects from GP there are session that will expire, therefore there is no HIP data at the moment . I have seen in my logs that is matching a "catch" rule DENY for those HIP profiles are not working.&nbsp;</P> Thu, 03 Jun 2021 08:56:45 GMT https://live.paloaltonetworks.com/t5/general-topics/user-id-rule-to-bypass-hip-check-not-matching/m-p/410787#M92644 GeorgiosFakis 2021-06-03T08:56:45Z https://live.paloaltonetworks.com/t5/general-topics/user-id-rule-to-bypass-hip-check-not-matching/m-p/410913#M92664 <P>Hi, thanks for your response, I have checked in my logs but I have not found rule DENY</P><P>&nbsp;</P><P>I only see that user change your match for another rule but it is allow rule</P><P>&nbsp;</P><P>Regards</P> Thu, 03 Jun 2021 15:10:41 GMT https://live.paloaltonetworks.com/t5/general-topics/user-id-rule-to-bypass-hip-check-not-matching/m-p/410913#M92664 BigPalo 2021-06-03T15:10:41Z https://live.paloaltonetworks.com/t5/general-topics/user-id-rule-to-bypass-hip-check-not-matching/m-p/411095#M92693 <P>Hi ,</P><P>&nbsp;</P><P>Are they RDP with the same account like the login username of GP ?&nbsp;</P><P>Have you defined AD groups in the ACL ?&nbsp;</P><P>&nbsp;</P><P>What username is not matching the RDP and the DNS and have you compared that to the username login ?&nbsp;</P><P>I had the same issue and I deleted the source user AD group because I had users like domain\bob and the RDP was done by domain\admbob.&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Fri, 04 Jun 2021 06:42:52 GMT https://live.paloaltonetworks.com/t5/general-topics/user-id-rule-to-bypass-hip-check-not-matching/m-p/411095#M92693 GeorgiosFakis 2021-06-04T06:42:52Z