12-05-2019 04:01 PM
I have Global Protect VPN configured and everything is working, but the moment I apply a HIP-Profile to my security rule (for my VPN Users), they immediately do not match my VPN security rule. I get no HIP logs, I cannot find any hip profiles. I configured a HIP Profile, to match any Windows operating system, so I kept it simple. I can remove the HIP Profile from the security rule, then my VPN users will match the rule and everything is fine. But the moment I apply the HIP Profile to the security rule, the traffic will not match the rule. I am configuring the firewall via Panorama console. I feel like its a simple fix and I am overlooking a simple HIP configuration/requirement.
I tried the following articles but they all failed to fix my issue or I cannot obtain any results from the show/debug commands.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClshCAC
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000boP1CAI
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClbkCAC
username@IFW-01> debug user-id dump hip-profile-database entry
Total number of hipmask in database: 0
Total number of logout records in database: 0
Total size of hip reports: 1024KB used / 34816KB
No record exists or matches!
username@IFW01> debug user-id dump hip-profile-database ipmapping
Total number of ipmappings in database: 0
No record exists or matches!
12-13-2019 09:17 AM
Not sure how I resolved my own problem, but i basically redownloaded GlobaPortect Data File from Dynamic Updates in Panorama (but it still failed) and then I went to the HIP profile, remove all specifications (e.g. windows 10..etc). That way my HIP profile will accept anything. I committed it and things started to work.. I was seeing HIP matches and etc.. I then went back to the HIP profile and put back some of my specifications and things continue to work. I am not really sure why is working now but it is.
12-05-2019 06:34 PM
Do you actually have a GlobalProtect Gateway subscription for your firewall?
12-06-2019 05:28 AM
Yes. I have a subscription license.
12-06-2019 11:09 AM
Anyone have any clue why HIP is not working for me? I get no show output, no HIP matches, nothing. I do have a valid GP Gateway subscription which is why I am building this HIP requirement.
12-06-2019 12:40 PM
do you have Collect HIP data - check mark box in your agent config on your portal?
12-06-2019 12:44 PM
yes.. I put the check for hip collection, yesterday but it didn't make a difference. It should be a simple setup but not sure why HIP is not working. Its almost as if the client/computer is not sending HIP information to PA. My HIP Profile is looking for any Windows OS, and I am running Windows 10 Enterprise so the HIP Profile should match.
12-07-2019 09:52 PM
So as long as you have the license active, and you have the Collect HIP Data checked, you should at the very least be getting logs under 'HIP Match'. Short of posting the XML or CLI output so that we can actually verify that what you are seeing in the GUI and what the device is actually configured to do matches, I would contact TAC so they can actually look at your full log output.
12-13-2019 09:17 AM
Not sure how I resolved my own problem, but i basically redownloaded GlobaPortect Data File from Dynamic Updates in Panorama (but it still failed) and then I went to the HIP profile, remove all specifications (e.g. windows 10..etc). That way my HIP profile will accept anything. I committed it and things started to work.. I was seeing HIP matches and etc.. I then went back to the HIP profile and put back some of my specifications and things continue to work. I am not really sure why is working now but it is.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
