I have a PA-3020 that is configured for GlobalProtect. All is good as far as being able to connect to the VPN, but once I am connected I find that I'm having issues connecting to servers that are permitted in security policy, but have the HIP Profile attached. If I remove the HIP profile the traffic flows as expected.
The HIP profile is very basic at this time - it's just checking to determine whether the users laptop is configured with the proper domain. When I browse to Monitor > HIP Match I'm seeing that my machine is matching the "GlobalProtect Authorized Users" profile, but whenever the HIP policy is attached to the security policy I can't get to the server(s) - the traffic log shows that the traffic was denied. Remove the HIP check, commit, and re-connect and I'm able to get to the server(s) using the same rule, just minus the HIP check.
I have the same basic setup on another set of firewalls at our HQ and it's working without an issue.
Can anybody give me any tips on how to troubleshoot this? I wish the HIP logs gave a bit more information.
The firewall with the issue is running 8.1.13, with GlobalProtect 5.1.1.
Do you actually have a GlobalProtect Gateway subscription active on the firewall? You'll be able to find additional HIP information in the PanGPS.log file on a client machine.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!