Global Protect and HIPS

murphyj · ‎07-19-2013

We have setup Global protect and are able to connect to our network.

Once we add a HIPS profile all the traffic gets denied. The only setting in the HIPS profile is the OS is microsoft.

We are currently using Software version 5.0.6 and global protect 1.2.4 and have even tried rolling it back to 1.2.3 and still no luck. Has anyone had a problem like this before?

zarina · ‎07-23-2013

Are you using self signed certificate for the portal & gateway? If not, can you make sure to include the entire certificate chain under Trusted Root CA section of portal config?

View solution in original post

VinceM · ‎07-19-2013

What about HIP report in Monitor ?

Did you confirgure is Microsoft or cotain microsoft ?

V.

murphyj · ‎07-19-2013

Nothing shows up in Hips Monitor section.

OS Contains Microsoft.All

That's it for the whole thing.

zarina · ‎07-23-2013

Do you see any hip profiles associated with the GP user:

> show user ip-user-mapping ip <gp_ip>

You can also verify the the hip database:

> debug user-id dump hip-profile-database

Also, can you look at the sslvpn logs and look for "POST /ssl-vpn/hipreportcheck.esp HTTP/1.1"

> less webserver-log sslvpn-access.log

murphyj · ‎07-23-2013

When I do the command: less webserver-log sslvpn-access.log

I do not see any reference to what you said this is what I currently see.

- - [Tue Jul 23 10:50:21 2013 EDT] "POST /global-protect/prelogin.esp HTTP/1.1" 200 643

- - [Tue Jul 23 10:50:21 2013 EDT] "POST /global-protect/getconfig.esp HTTP/1.1" 200 6203

- - [Tue Jul 23 10:50:25 2013 EDT] "POST /ssl-vpn/prelogin.esp HTTP/1.1" 200 642

- - [Tue Jul 23 10:50:25 2013 EDT] "POST /ssl-vpn/login.esp HTTP/1.1" 200 2037

- - [Tue Jul 23 10:50:25 2013 EDT] "POST /ssl-vpn/getconfig.esp HTTP/1.1" 200 1997

127.0.0.1 - - [Tue Jul 23 10:50:45 2013 EDT] "GET /robots.txt HTTP/1.0" 200 284

- - [Tue Jul 23 10:51:42 2013 EDT] "POST /global-protect/prelogin.esp HTTP/1.1" 200 643

- - [Tue Jul 23 10:51:42 2013 EDT] "POST /global-protect/getconfig.esp HTTP/1.1" 200 6203

- - [Tue Jul 23 10:51:45 2013 EDT] "POST /ssl-vpn/prelogin.esp HTTP/1.1" 200 642

- - [Tue Jul 23 10:51:45 2013 EDT] "POST /ssl-vpn/login.esp HTTP/1.1" 200 2333

- - [Tue Jul 23 10:51:45 2013 EDT] "POST /ssl-vpn/getconfig.esp HTTP/1.1" 200 1997

127.0.0.1 - - [Tue Jul 23 10:51:46 2013 EDT] "GET /robots.txt HTTP/1.0" 200 284

127.0.0.1 - - [Tue Jul 23 10:52:46 2013 EDT] "GET /robots.txt HTTP/1.0" 200 284

127.0.0.1 - - [Tue Jul 23 10:53:46 2013 EDT] "GET /robots.txt HTTP/1.0" 200 284

- - [Tue Jul 23 10:54:00 2013 EDT] "GET /index.sslvpn HTTP/1.1" 200 480

- - [Tue Jul 23 10:54:00 2013 EDT] "GET /global-protect/login.esp HTTP/1.1" 200 7504

- - [Tue Jul 23 10:54:00 2013 EDT] "GET /images/global_protect.gif HTTP/1.1" 200 595

- - [Tue Jul 23 10:54:00 2013 EDT] "GET /styles/falcon_content.css?v=@@version HTTP/1.1" 200 41011

- - [Tue Jul 23 10:54:00 2013 EDT] "GET /images/logo_pan_158.gif HTTP/1.1" 200 3720

- - [Tue Jul 23 10:54:00 2013 EDT] "GET /favicon.ico HTTP/1.1" 404 382

The other commands show:

debug user-id dump hip-profile-database

No records exists or Matches!

show user ip-user-mapping ip 172.18.20.2

IP address: 172.18.20.2 (vsys1)
User:        ***\****
From:        GP
Idle Timeout: 2591945s
Max. TTL:    2591945s
Groups that the user belongs to (used in policy)

zarina · ‎07-23-2013

Are you using self signed certificate for the portal & gateway? If not, can you make sure to include the entire certificate chain under Trusted Root CA section of portal config?

zarina · ‎07-23-2013

Also, please make sure you have GP portal and GW license and also the GP data file is installed (Dynamic Updates -> GlobalProtect Data File).

ukhapre · ‎07-23-2013

are you able to see HIP details under user GP client?

murphyj · ‎07-24-2013

Upon adding the remaining part of the chain it worked, thank you very much.

Unlock your full community experience!

Global Protect and HIPS

Global Protect and HIPS

Show your appreciation!