Matching HIP in Decryption Policy

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Matching HIP in Decryption Policy

L2 Linker

Anyone doing this? It is configurable in the policy itself but isn't referenced in any documentation. The firewalls seem to ignore the HIP profile configured in the decryption rule when matching/not matching traffic. 

 

When I configure the rule to match a hip profile, it never matches correctly on the HIP part. The hip profile is set to match essentially windows clients and decrypt their traffic, but even when I run a mac or Linux client it still matches.

I've double checked hip match logs and I'm not accidentally hitting that profile. Based on the config my traffic should not be decrypted but it is as my username is part of a group referenced in the policy. 

 

The firewall just seems to ignore that bit of the config. 

 

I've opened a support case but do not have any feedback yet. 

12 REPLIES 12

L6 Presenter

Check the article below and check the hip data that is being collected correctly for a test linux/mac user and test windows user. Also check what decryption policy the linux/mac users and windows users are matching with the "test" command that is shown in the example in the article but for security policy. Your linux/mac users could be matching another decryption rule that decrypts the traffic and this is why you to see the issue also check your HIP configuration that you don't have a default condition that matches something like any/any and this is why the linux/mac users to also match this rule.

 

How to Troubleshoot HIP Match Issues - Knowledge Base - Palo Alto Networks

 

How to Troubleshoot HIP Data - Knowledge Base - Palo Alto Networks

 

 

Also check that HIP data collection is enabled on the Globalprotect portal:

 

 

Configure HIP-Based Policy Enforcement (paloaltonetworks.com)

 

 

You may also enable advanced view (see step 5):

 

Customize the GlobalProtect App (paloaltonetworks.com)

 

 

Also check for known issues for your version and addressed ones in versions after yours for globalprotect agent and the palo alto firewall.

 

 

 

Examples:

 

Addressed Issues in GlobalProtect App 5.2 (paloaltonetworks.com)

 

GlobalProtect App 5.2 Known Issues (paloaltonetworks.com)

 

 

Known Issues (paloaltonetworks.com)

 

PAN-OS 9.1 Addressed Issues (paloaltonetworks.com)

I have confirmed this. There is only one decryption policy configured with an action of "decrypt" and decryption logs confirm that my traffic is being decrypted by this specific policy. There is one user group and one HIP profile configured in the rule.

 

I have confirmed that my test linix/mac machines do not match the HIP policy configured in the rule

 

 

If you want check as I mentioned for known and addressed issues for the agent and the firewall as this seems a bug in this case and if it is not documented then a TAC case could be needed.

TAC case open although I'm not 100% sure my point is getting across, but they are working on it. 

L0 Member

Hey there, any update from TAC on this issue?

I can replicate the same issue as you, with a simple IOS vs Mac OS HIP check and the decryption policy is matching on the source zone/IP details only and NOT the HIP profile. When reordering my two policies, whichever policy is first is the one that matches on all traffic, ignoring the HIP profile assigned to said policy.

I just wanted to check to see whether you got anywhere with TAC, before I raise a case. If it doesn't work by design, then the option must be removed from the policy. If it should work, then the bug needs to be resolved. I've tested all the way to 10.2 and without success.

Hi,

any news from the TAC?

I have exactly the same problem on my PA-440.

Best regards

 

Jarek

Cyber Elite
Cyber Elite

Just adding a little detail here, but I wanted to ask. Do you have a Global Protect license on your FW?  I seem to recall that HIP works when a GP Gateway license is purchased.  I mean GP, in general, will work, but I did not see any comments (unless I overlooked them) that stated that the FW has a GP gateway license on the FW.   Thanks.

Help the community: Like helpful comments and mark solutions

Hi Steve,

in my case, I have GP license (but not IOT license) and using Hip Profile in Source Device on Decryption Policy has no effect.

L2 Linker

Was informed that this will be fixed in an upcoming release.

I believe the fix is planned in 10.1.8 but that is not official. 

L1 Bithead

Does anyone know if this has been resolved? I seem to be running into this on 11.0.2.

L0 Member

Same for me, on 11.0.3-h5 (last preferred version) it is still not working,

  • 5518 Views
  • 12 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!