HIP check report interval

Announcements

Changes to the LIVEcommunity experience are coming soon... Here's what you need to know.

Reply
ET
L2 Linker

HIP check report interval

1. What is the interval for HIP reports that the GP client sends to the gateway? 

2. Is it configurable?

3. What triggers HIP report sending?

Tags (4)
bparrish
L1 Bithead

Hi. 

 

The default HIP check interval is 1 hour or as seen in the PanGPS logs is displayed in miliseconds as 3600000 ms.  The following is what the default interval would look like in the PanGPS logs:

 

 (T11392) 10/03/17 14:16:54:277 Debug(6007): Hip check interval is 3600000 ms.

 

To change the default interval time this would be modified on the Portal configuration using the following CLI commands:

 

 debug global-protect portal interval <seconds>
 debug global-protect portal on
 configure
 commit force

 

Notes:

- The new HIP interval will affect all users and all portals

- This setting will remain even after a firewall reboot

- To verify the settings change in the CLI use:

 

> debug global-protect portal show

cfg.global-protect.portal.debug: True
cfg.global-protect.portal.hip-report-interval: 60    ( here I changed the setting to update every 60 seconds )

mmelone
L3 Networker

I'm having an issue where GP HIPS appear to expire, rendering all my rules useless and the client gets blocked eveywhere I have the HIP profile enabled. It happens after an hour of connectivity and its not always consistent. It kills long term ssh/rdp sessions and it does not seem to be related to idle timeout (3hr) or max time out (12hr).   Will decreasing the check time help? 

Dominic_Longpre
L1 Bithead

@mmelone 

 

Got same issue as you. Did you fixed it  ? 

 

Traffic match rule based on HIP profile, this is working fine most of the time, and suddenly, that stop working for short period of time. I'm suspecting HIP "report" to aging out (or expiring), but no clue how to troubleshoot this... Worst, this is within Prisma

 

Ticket's open ! 

AlexanderAstardzhiev
L4 Transporter

@Dominic_Longpre 

 

One of our use just experiance issue when GP client just stopped sending HIP report to gateway.

In the GP client logs we can only see that there are no logs for HIP report generation. At one point the GP has reconnect to gateway, but again without any HIP report.

 

I noticed that when you list ip-to-user mapping in addition to the user id info there will be information about the HIP profiles that this user will match.

 

I didn't checked that during the time of the issue, but my only guess at the moment is that not the HIP report is "aging out", but the ip-user mappin has been updated (for some reason) without information about the HIP. In my case it I am guessing it was caused by the "bug" in GP agent.

 

 

Did you find the root cause?

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!