How to Troubleshoot HIP Data

by Phoenix on ‎10-30-2012 12:52 PM (9,551 Views)

To troubleshoot the HIP profile information on the Palo Alto Networks firewall, the following commands can be used.

The following command provides details on the Computer name (PAN00965), Hip profile name (Hip-Profile), user (admin), and IP allocated (172.24.10.1):

> debug user-id dump hip-profile-database

Total number of hipmask in database: 1

Total size of hip reports: 1029KB used / 1248256KB

Entry    User                               Computer

IP              TTL   VSYS               HIP Profile

----------------------------------------------------------------------

1         admin                                PAN00965

172.24.10.1     10747 vsys1           Hip-Profile

----------------------------------------------------------------------

The following command generates a lot of output in xml format. Only the data useful for troubleshooting is displayed below:

> debug user-id dump hip-report computer PAN00965 user admin ip 172.24.10.1

<?xml version="1.0" encoding="UTF-8"?>

<hip-report>

        <user-name>admin</user-name>

        <host-name>PAN00965</host-name>

        <ip-address>172.24.10.1</ip-address>

        <generate-time>10/29/2012 16:51:17</generate-time>

        <categories>

                <entry name="host-info">

                        <client-version>1.1.7-11</client-version>

                        <os>Microsoft Windows 7 Enterprise Edition Service Pack 1, 32-bit</os>

                        <os-vendor>Microsoft</os-vendor>

                        <host-name>PAN00965</host-name>

        <network-interface>

                                <entry name="{7383A4FF-0140-4E4C-B70F-0D30438851C9}">

                                        <description>PANGP Virtual Ethernet Adapter</description>

                                        <mac-address>02-50-41-00-00-01</mac-address>

                                        <ip-address>

                                                <entry name="172.24.10.1"/>

                                        </ip-address>

                                </entry>

                <entry name="firewall">

                        <list>

                                <entry>

                                        <ProductInfo>

                                                <Prod name="Microsoft Windows Firewall" version="7" vendor="Microsoft Corp.">

                                                </Prod>

                                                <is-enabled>yes</is-enabled>

                                        </ProductInfo>

                                </entry>

                        </list>

                </entry>

                <entry name="disk-backup">

                        <list>

                                <entry>

                                        <ProductInfo>

                                                <Prod name="Dropbox" version="1.2.52" vendor="Dropbox">

                                                </Prod>

                                                <last-backup-time>n/a</last-backup-time>

                                        </ProductInfo>

                                </entry>

                        </list>

                </entry>

In the above output, look for the HIP objects configured for the PC PAN00965. There are two objects, one is the firewall and the other is disk-backup as seen above.

In the security rules configured for checking the Microsoft windows firewall to be enabled, the HIP report shows that the windows firewall is enabled for the PC.

Since the HIP data is verified the security rule would match and take the action defined.

See also

How_to_Create-a_HIP_Match_4.0.pdf for more information on how to implement HIP profiles.

owner: ssunku

Comments
by pulukas
on ‎07-28-2015 02:45 PM

The see also document linked above is not public.

by MarekWalczak
2 weeks ago

Is there any commands I can run to display version of GlobalProtec client for all users? The version can be seen from the gui but for just a given user and the same info I can get by running below commands but again this command displays a version for that user only. 

 

debug user-id dump hip-report computer <computer-name> ip <global-protect-assigned-ip> user <username>

 

Ignite 2018, Amsterdam, Netherlands
Ask Questions Get Answers Join the Live Community
Contributors