I have Global Protect VPN configured and everything is working, but the moment I apply a HIP-Profile to my security rule (for my VPN Users), they immediately do not match my VPN security rule. I get no HIP logs, I cannot find any hip profiles. I configured a HIP Profile, to match any Windows operating system, so I kept it simple. I can remove the HIP Profile from the security rule, then my VPN users will match the rule and everything is fine. But the moment I apply the HIP Profile to the security rule, the traffic will not match the rule. I am configuring the firewall via Panorama console. I feel like its a simple fix and I am overlooking a simple HIP configuration/requirement.
I tried the following articles but they all failed to fix my issue or I cannot obtain any results from the show/debug commands.
username@IFW-01> debug user-id dump hip-profile-database entry
Total number of hipmask in database: 0
Total number of logout records in database: 0
Total size of hip reports: 1024KB used / 34816KB
No record exists or matches!
username@IFW01> debug user-id dump hip-profile-database ipmapping
Total number of ipmappings in database: 0
No record exists or matches!
Solved! Go to Solution.
Do you actually have a GlobalProtect Gateway subscription for your firewall?
Anyone have any clue why HIP is not working for me? I get no show output, no HIP matches, nothing. I do have a valid GP Gateway subscription which is why I am building this HIP requirement.
do you have Collect HIP data - check mark box in your agent config on your portal?
yes.. I put the check for hip collection, yesterday but it didn't make a difference. It should be a simple setup but not sure why HIP is not working. Its almost as if the client/computer is not sending HIP information to PA. My HIP Profile is looking for any Windows OS, and I am running Windows 10 Enterprise so the HIP Profile should match.
So as long as you have the license active, and you have the Collect HIP Data checked, you should at the very least be getting logs under 'HIP Match'. Short of posting the XML or CLI output so that we can actually verify that what you are seeing in the GUI and what the device is actually configured to do matches, I would contact TAC so they can actually look at your full log output.
Not sure how I resolved my own problem, but i basically redownloaded GlobaPortect Data File from Dynamic Updates in Panorama (but it still failed) and then I went to the HIP profile, remove all specifications (e.g. windows 10..etc). That way my HIP profile will accept anything. I committed it and things started to work.. I was seeing HIP matches and etc.. I then went back to the HIP profile and put back some of my specifications and things continue to work. I am not really sure why is working now but it is.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!