Anyone doing this? It is configurable in the policy itself but isn't referenced in any documentation. The firewalls seem to ignore the HIP profile configured in the decryption rule when matching/not matching traffic.
When I configure the rule to match a hip profile, it never matches correctly on the HIP part. The hip profile is set to match essentially windows clients and decrypt their traffic, but even when I run a mac or Linux client it still matches.
I've double checked hip match logs and I'm not accidentally hitting that profile. Based on the config my traffic should not be decrypted but it is as my username is part of a group referenced in the policy.
The firewall just seems to ignore that bit of the config.
I've opened a support case but do not have any feedback yet.
Check the article below and check the hip data that is being collected correctly for a test linux/mac user and test windows user. Also check what decryption policy the linux/mac users and windows users are matching with the "test" command that is shown in the example in the article but for security policy. Your linux/mac users could be matching another decryption rule that decrypts the traffic and this is why you to see the issue also check your HIP configuration that you don't have a default condition that matches something like any/any and this is why the linux/mac users to also match this rule.
Also check that HIP data collection is enabled on the Globalprotect portal:
You may also enable advanced view (see step 5):
Also check for known issues for your version and addressed ones in versions after yours for globalprotect agent and the palo alto firewall.
Addressed Issues in GlobalProtect App 5.2 (paloaltonetworks.com)
GlobalProtect App 5.2 Known Issues (paloaltonetworks.com)
Known Issues (paloaltonetworks.com)
PAN-OS 9.1 Addressed Issues (paloaltonetworks.com)
I have confirmed this. There is only one decryption policy configured with an action of "decrypt" and decryption logs confirm that my traffic is being decrypted by this specific policy. There is one user group and one HIP profile configured in the rule.
I have confirmed that my test linix/mac machines do not match the HIP policy configured in the rule
Hey there, any update from TAC on this issue?
I can replicate the same issue as you, with a simple IOS vs Mac OS HIP check and the decryption policy is matching on the source zone/IP details only and NOT the HIP profile. When reordering my two policies, whichever policy is first is the one that matches on all traffic, ignoring the HIP profile assigned to said policy.
I just wanted to check to see whether you got anywhere with TAC, before I raise a case. If it doesn't work by design, then the option must be removed from the policy. If it should work, then the bug needs to be resolved. I've tested all the way to 10.2 and without success.
Just adding a little detail here, but I wanted to ask. Do you have a Global Protect license on your FW? I seem to recall that HIP works when a GP Gateway license is purchased. I mean GP, in general, will work, but I did not see any comments (unless I overlooked them) that stated that the FW has a GP gateway license on the FW. Thanks.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!