1. What is the interval for HIP reports that the GP client sends to the gateway?
2. Is it configurable?
3. What triggers HIP report sending?
The default HIP check interval is 1 hour or as seen in the PanGPS logs is displayed in miliseconds as 3600000 ms. The following is what the default interval would look like in the PanGPS logs:
(T11392) 10/03/17 14:16:54:277 Debug(6007): Hip check interval is 3600000 ms.
To change the default interval time this would be modified on the Portal configuration using the following CLI commands:
debug global-protect portal interval <seconds>
debug global-protect portal on
- The new HIP interval will affect all users and all portals
- This setting will remain even after a firewall reboot
- To verify the settings change in the CLI use:
> debug global-protect portal show
cfg.global-protect.portal.hip-report-interval: 60 ( here I changed the setting to update every 60 seconds )
I'm having an issue where GP HIPS appear to expire, rendering all my rules useless and the client gets blocked eveywhere I have the HIP profile enabled. It happens after an hour of connectivity and its not always consistent. It kills long term ssh/rdp sessions and it does not seem to be related to idle timeout (3hr) or max time out (12hr). Will decreasing the check time help?
Got same issue as you. Did you fixed it ?
Traffic match rule based on HIP profile, this is working fine most of the time, and suddenly, that stop working for short period of time. I'm suspecting HIP "report" to aging out (or expiring), but no clue how to troubleshoot this... Worst, this is within Prisma
Ticket's open !
One of our use just experiance issue when GP client just stopped sending HIP report to gateway.
In the GP client logs we can only see that there are no logs for HIP report generation. At one point the GP has reconnect to gateway, but again without any HIP report.
I noticed that when you list ip-to-user mapping in addition to the user id info there will be information about the HIP profiles that this user will match.
I didn't checked that during the time of the issue, but my only guess at the moment is that not the HIP report is "aging out", but the ip-user mappin has been updated (for some reason) without information about the HIP. In my case it I am guessing it was caused by the "bug" in GP agent.
Did you find the root cause?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!