I would extend that to 480 (8 Hours)
I have mine set to 24 hours but for some thats too long.
4 Hours may be OK. but try 8 and reduce if needs be.
I have done this but again user reported that next day .
I got debugging logs from user and I see it's an issue on HIP report that timed out . I have opened a case with Palo Alto and waiting their availability to check it .
PA released version 5.0.6 that fix some HIP issues. Now for the case I have they are still reviewing the files I sent them .
From what I see is that :
(T20032) 11/28/19 11:18:03:568 Debug(4477): Send hip report check failed
I have increased the timeout to 1 day for the HIP report from 3 hours that was set.I will keep you posted .
Palo Alto engineer and myself we were looking the logs .
User connected in the morning , opened a UDP session with significant amount of data transimtted and recevied .Was allowed by an ACL in line 35 let's say and after 3 hours Deny ALL acl was matching in line 50 .
We see that HIP report was sent and there flags 0x63 & 0x61 on the allowed and deny from the log .We suspect that is related to HIP report .We see that was sent every hour and HIP log is matching the HIP profile every hour .Question is why traffic that elapsed time was 3 hours is mathcing after that time DENY ALL ACL.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!