Global Protect and HIPS

Reply
Highlighted
L2 Linker

Global Protect and HIPS

We have setup Global protect and are able to connect to our network.

Once we add a HIPS profile all the traffic gets denied. The only setting in the HIPS profile is the OS is microsoft.

We are currently using Software version 5.0.6 and global protect 1.2.4 and have even tried rolling it back to 1.2.3 and still no luck. Has anyone had a problem like this before?

Tags (2)

Accepted Solutions
Highlighted
L5 Sessionator

Are you using self signed certificate for the portal & gateway? If not, can you make sure to include the entire certificate chain under Trusted Root CA section of portal config?

portal.jpg

View solution in original post


All Replies
Highlighted
L5 Sessionator

What about HIP report in Monitor ?

Did you confirgure is Microsoft or cotain microsoft ?

V.

Highlighted
L2 Linker

Nothing shows up in Hips Monitor section.

OS Contains Microsoft.All

That's it for the whole thing.

Highlighted
L5 Sessionator

Do you see any hip profiles associated with the GP user:

> show user ip-user-mapping ip <gp_ip>

You can also verify the the hip database:

> debug user-id dump hip-profile-database

Also, can you look at the sslvpn logs and look for "POST /ssl-vpn/hipreportcheck.esp HTTP/1.1"

> less webserver-log sslvpn-access.log



Highlighted
L2 Linker

When I do the command: less webserver-log sslvpn-access.log

I do not see any reference to what you said this is what I currently see.


- - [Tue Jul 23 10:50:21 2013 EDT] "POST /global-protect/prelogin.esp HTTP/1.1" 200 643

- - [Tue Jul 23 10:50:21 2013 EDT] "POST /global-protect/getconfig.esp HTTP/1.1" 200 6203

- - [Tue Jul 23 10:50:25 2013 EDT] "POST /ssl-vpn/prelogin.esp HTTP/1.1" 200 642

- - [Tue Jul 23 10:50:25 2013 EDT] "POST /ssl-vpn/login.esp HTTP/1.1" 200 2037

- - [Tue Jul 23 10:50:25 2013 EDT] "POST /ssl-vpn/getconfig.esp HTTP/1.1" 200 1997

127.0.0.1 - - [Tue Jul 23 10:50:45 2013 EDT] "GET /robots.txt HTTP/1.0" 200 284

- - [Tue Jul 23 10:51:42 2013 EDT] "POST /global-protect/prelogin.esp HTTP/1.1" 200 643

- - [Tue Jul 23 10:51:42 2013 EDT] "POST /global-protect/getconfig.esp HTTP/1.1" 200 6203

- - [Tue Jul 23 10:51:45 2013 EDT] "POST /ssl-vpn/prelogin.esp HTTP/1.1" 200 642

- - [Tue Jul 23 10:51:45 2013 EDT] "POST /ssl-vpn/login.esp HTTP/1.1" 200 2333

- - [Tue Jul 23 10:51:45 2013 EDT] "POST /ssl-vpn/getconfig.esp HTTP/1.1" 200 1997

127.0.0.1 - - [Tue Jul 23 10:51:46 2013 EDT] "GET /robots.txt HTTP/1.0" 200 284

127.0.0.1 - - [Tue Jul 23 10:52:46 2013 EDT] "GET /robots.txt HTTP/1.0" 200 284

127.0.0.1 - - [Tue Jul 23 10:53:46 2013 EDT] "GET /robots.txt HTTP/1.0" 200 284

- - [Tue Jul 23 10:54:00 2013 EDT] "GET /index.sslvpn HTTP/1.1" 200 480

- - [Tue Jul 23 10:54:00 2013 EDT] "GET /global-protect/login.esp HTTP/1.1" 200 7504

- - [Tue Jul 23 10:54:00 2013 EDT] "GET /images/global_protect.gif HTTP/1.1" 200 595

- - [Tue Jul 23 10:54:00 2013 EDT] "GET /styles/falcon_content.css?v=@@version HTTP/1.1" 200 41011

- - [Tue Jul 23 10:54:00 2013 EDT] "GET /images/logo_pan_158.gif HTTP/1.1" 200 3720

- - [Tue Jul 23 10:54:00 2013 EDT] "GET /favicon.ico HTTP/1.1" 404 382

The other commands show:

debug user-id dump hip-profile-database

No records exists or Matches!



show user ip-user-mapping ip 172.18.20.2

IP address:  172.18.20.2 (vsys1)
User:        ***\****
From:        GP
Idle Timeout: 2591945s
Max. TTL:    2591945s
Groups that the user belongs to (used in policy)



Highlighted
L5 Sessionator

Are you using self signed certificate for the portal & gateway? If not, can you make sure to include the entire certificate chain under Trusted Root CA section of portal config?

portal.jpg

View solution in original post

Highlighted
L5 Sessionator

Also, please make sure you have GP portal and GW license and also the GP data file is installed (Dynamic Updates -> GlobalProtect Data File).

Highlighted
L3 Networker

are you able to see HIP details under user GP client?

Highlighted
L2 Linker

Upon adding the remaining part of the chain it worked, thank you very much.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!