Matching HIP in Decryption Policy

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Matching HIP in Decryption Policy

L2 Linker

Anyone doing this? It is configurable in the policy itself but isn't referenced in any documentation. The firewalls seem to ignore the HIP profile configured in the decryption rule when matching/not matching traffic. 

 

When I configure the rule to match a hip profile, it never matches correctly on the HIP part. The hip profile is set to match essentially windows clients and decrypt their traffic, but even when I run a mac or Linux client it still matches.

I've double checked hip match logs and I'm not accidentally hitting that profile. Based on the config my traffic should not be decrypted but it is as my username is part of a group referenced in the policy. 

 

The firewall just seems to ignore that bit of the config. 

 

I've opened a support case but do not have any feedback yet. 

10 REPLIES 10

Cyber Elite
Cyber Elite

Check the article below and check the hip data that is being collected correctly for a test linux/mac user and test windows user. Also check what decryption policy the linux/mac users and windows users are matching with the "test" command that is shown in the example in the article but for security policy. Your linux/mac users could be matching another decryption rule that decrypts the traffic and this is why you to see the issue also check your HIP configuration that you don't have a default condition that matches something like any/any and this is why the linux/mac users to also match this rule.

 

How to Troubleshoot HIP Match Issues - Knowledge Base - Palo Alto Networks

 

How to Troubleshoot HIP Data - Knowledge Base - Palo Alto Networks

 

 

Also check that HIP data collection is enabled on the Globalprotect portal:

 

 

Configure HIP-Based Policy Enforcement (paloaltonetworks.com)

 

 

You may also enable advanced view (see step 5):

 

Customize the GlobalProtect App (paloaltonetworks.com)

 

 

Also check for known issues for your version and addressed ones in versions after yours for globalprotect agent and the palo alto firewall.

 

 

 

Examples:

 

Addressed Issues in GlobalProtect App 5.2 (paloaltonetworks.com)

 

GlobalProtect App 5.2 Known Issues (paloaltonetworks.com)

 

 

Known Issues (paloaltonetworks.com)

 

PAN-OS 9.1 Addressed Issues (paloaltonetworks.com)

I have confirmed this. There is only one decryption policy configured with an action of "decrypt" and decryption logs confirm that my traffic is being decrypted by this specific policy. There is one user group and one HIP profile configured in the rule.

 

I have confirmed that my test linix/mac machines do not match the HIP policy configured in the rule

 

 

If you want check as I mentioned for known and addressed issues for the agent and the firewall as this seems a bug in this case and if it is not documented then a TAC case could be needed.

TAC case open although I'm not 100% sure my point is getting across, but they are working on it. 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!