01-25-2022 06:55 AM
Anyone doing this? It is configurable in the policy itself but isn't referenced in any documentation. The firewalls seem to ignore the HIP profile configured in the decryption rule when matching/not matching traffic.
When I configure the rule to match a hip profile, it never matches correctly on the HIP part. The hip profile is set to match essentially windows clients and decrypt their traffic, but even when I run a mac or Linux client it still matches.
I've double checked hip match logs and I'm not accidentally hitting that profile. Based on the config my traffic should not be decrypted but it is as my username is part of a group referenced in the policy.
The firewall just seems to ignore that bit of the config.
I've opened a support case but do not have any feedback yet.
01-26-2022 12:33 AM - edited 01-26-2022 12:35 AM
Check the article below and check the hip data that is being collected correctly for a test linux/mac user and test windows user. Also check what decryption policy the linux/mac users and windows users are matching with the "test" command that is shown in the example in the article but for security policy. Your linux/mac users could be matching another decryption rule that decrypts the traffic and this is why you to see the issue also check your HIP configuration that you don't have a default condition that matches something like any/any and this is why the linux/mac users to also match this rule.
How to Troubleshoot HIP Match Issues - Knowledge Base - Palo Alto Networks
How to Troubleshoot HIP Data - Knowledge Base - Palo Alto Networks
Also check that HIP data collection is enabled on the Globalprotect portal:
Configure HIP-Based Policy Enforcement (paloaltonetworks.com)
You may also enable advanced view (see step 5):
Customize the GlobalProtect App (paloaltonetworks.com)
Also check for known issues for your version and addressed ones in versions after yours for globalprotect agent and the palo alto firewall.
Examples:
Addressed Issues in GlobalProtect App 5.2 (paloaltonetworks.com)
GlobalProtect App 5.2 Known Issues (paloaltonetworks.com)
Known Issues (paloaltonetworks.com)
PAN-OS 9.1 Addressed Issues (paloaltonetworks.com)
01-26-2022 06:49 AM
I have confirmed this. There is only one decryption policy configured with an action of "decrypt" and decryption logs confirm that my traffic is being decrypted by this specific policy. There is one user group and one HIP profile configured in the rule.
I have confirmed that my test linix/mac machines do not match the HIP policy configured in the rule
01-26-2022 12:01 PM
If you want check as I mentioned for known and addressed issues for the agent and the firewall as this seems a bug in this case and if it is not documented then a TAC case could be needed.
01-26-2022 12:03 PM
TAC case open although I'm not 100% sure my point is getting across, but they are working on it.
03-21-2022 08:56 PM
Hey there, any update from TAC on this issue?
I can replicate the same issue as you, with a simple IOS vs Mac OS HIP check and the decryption policy is matching on the source zone/IP details only and NOT the HIP profile. When reordering my two policies, whichever policy is first is the one that matches on all traffic, ignoring the HIP profile assigned to said policy.
I just wanted to check to see whether you got anywhere with TAC, before I raise a case. If it doesn't work by design, then the option must be removed from the policy. If it should work, then the bug needs to be resolved. I've tested all the way to 10.2 and without success.
06-23-2022 03:27 AM
Hi,
any news from the TAC?
I have exactly the same problem on my PA-440.
Best regards
Jarek
06-23-2022 04:53 AM
Just adding a little detail here, but I wanted to ask. Do you have a Global Protect license on your FW? I seem to recall that HIP works when a GP Gateway license is purchased. I mean GP, in general, will work, but I did not see any comments (unless I overlooked them) that stated that the FW has a GP gateway license on the FW. Thanks.
06-23-2022 04:58 AM
Hi Steve,
in my case, I have GP license (but not IOT license) and using Hip Profile in Source Device on Decryption Policy has no effect.
10-11-2022 11:25 AM
Was informed that this will be fixed in an upcoming release.
10-19-2022 06:40 AM
I believe the fix is planned in 10.1.8 but that is not official.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
