Denied traffic even though GlobalProtect HIP check passes?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Denied traffic even though GlobalProtect HIP check passes?

L0 Member

Hi all,

 

I have a PA-3020 that is configured for GlobalProtect. All is good as far as being able to connect to the VPN, but once I am connected I find that I'm having issues connecting to servers that are permitted in security policy, but have the HIP Profile attached. If I remove the HIP profile the traffic flows as expected.

 

The HIP profile is very basic at this time - it's just checking to determine whether the users laptop is configured with the proper domain. When I browse to Monitor > HIP Match I'm seeing that my machine is matching the "GlobalProtect Authorized Users" profile, but whenever the HIP policy is attached to the security policy I can't get to the server(s) - the traffic log shows that the traffic was denied. Remove the HIP check, commit, and re-connect and I'm able to get to the server(s) using the same rule, just minus the HIP check.

 

I have the same basic setup on another set of firewalls at our HQ and it's working without an issue.

 

Can anybody give me any tips on how to troubleshoot this? I wish the HIP logs gave a bit more information. 

 

The firewall with the issue is running 8.1.13, with GlobalProtect 5.1.1. 

 

Thanks!

2 REPLIES 2

Cyber Elite
Cyber Elite

@Ben_Gooch,

Do you actually have a GlobalProtect Gateway subscription active on the firewall? You'll be able to find additional HIP information in the PanGPS.log file on a client machine. 

  • The firewall does have an active gateway subscription. I'll look toward the PanGPS.log file and see what I can find. 
  • 2499 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!