I've been unable to get my HIP check to work when checking for attributes in a machine certificate. Other HIP checks do work. I'm using my root cert for the Certificate Profile. I don't have/use a intermediate cert as this is a lab. Some of the things I've tried.
1. I configured a certificate profile with the root cert.
2. Portal > Agent > Config Selection Criteria > Device Checks. I selected the root cert profile.
3. Portal > Agent > App > Machine cert is selected.
4. Portal > Portal Data Collection > Certificate Profile my root cert profile.
5. Portal > Agent - "Collect HIP Data" is selected.
I'm verifying the HIP checks using HIP Notification under the Gateway Agent. Like I said, my other HIP checks are working. Opening the GlobalProtect settings on a laptop and viewing Host Profile, shows the machine name under "Certificate". The right side of the screen shows the certificate in the form -----BEGIN CERTIFICATE----.......
I'm using 9.0.3h3 and GP client 5.0.5.
Have you seen these 2 KB articles about HIP configuration?
Have you created your HIP object and the access rule for this?
Thanks for your help. The second link you posted provided the debugs I needed to solve this issue. I thought I was receiving the machine certificate judging by the information I saw in the GlobalProtect Settings > Host Profile. The certificate section showed the machine name. But I could never fuly confirm it. I could never get the certificate attributes to match. The second link provided these commands:
Debug commands to show the HIP information in the database:
> debug user-id dump hip-profile-database entry
> debug user-id dump hip-report computer <computer-name> ip <global-protect-assigned-ip> user <username>
The first two commands showed the user information and HIP information. Including the certificate information with attributes in the format needed to setup the values.
To gain greater visibility, the hip debugs can be enabled via the CLI commands below. The messages are printed to the 'useridd.log' file. These commands showed the actual matching for the HIP objects and profiles.
> debug user-id set hip all
> debug user-id on debug
> tail follow yes mp-log useridd.log
The next three debug commands allowed me to see why the attribute match was failing. I was currently trying to match on "issuer". I could see the value the machine cert provided didn't match my value. After adjusting it, I received the message from the Gateway > Agent > Hip Notification, that my system passed the HIP check. I tried other attributes but I can see that the attributes I tried aren't listed in the database.
Thanks for your help!
I too am having a similar issue. Setup a new portal/gateway with SAML auth. Want to do a HIP check for a valid machine certificate but not looking to do pre-logon. Machine Certificate is loaded in the Local Computer\Personal\Certifcates store per Palo instructions. Subject shows machine name. our domain.com. Problem is, when I open the GP Client GlobalProtect Settings and go to the Host Profile tab, all I see is the word "certificate" at the bottom of the left window with no information in the right window about the cert. As such, it is not sending it to the portal during the HIP submission process. Any thoughts as to why the GP client is not seeing the certificate info. Oddly, in the PanGPS.log file on the client, it says it found the machine cert in the machine store. Has the correct hash etc. Just is not passing it up to the portal.
Any help would be appreciated.
Got the same issue and haven't found anything on PA sites, but found comment on reddit that you can check for a valid client certificate as part of the authentication process, but not as a HIP check. So it seems that it doesn't collect this information unless it's part of the authentication, which sounds strange.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!