Problems with HIP profile logs

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Problems with HIP profile logs

L4 Transporter

There is problem with Global Protect HIP profiles. HIP logs can not be displayed by firewall

What could be the reason?

12 REPLIES 12

Community Team Member

Hi @Radmin_85,

 

You're not giving us much to work with ... what debugging have you done already and what OS are you running ?

 

Maybe:

https://live.paloaltonetworks.com/t5/Management-Articles/HIP-checks-are-not-logged-and-traffic-is-al...

 

Cheers !

-Kiwi.

LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

L5 Sessionator

Hi @Radmin_85

 

Are you saying that when you go to Monitor -> HIP Match there are no entries? Please note for entries to appear here it must match the below criteria:

 

GlobalProtect Gateway License Valid

The HIP Object is matched: (Objects -> HIP Objects)

HIP Collection is turned on in the portal: Network -> Portals -> Portal Name -> Agent -> Config Name -> Data Collection -> Collect HIP Data

 

Otherwise, are you saying you receive an error when trying to display these logs? Could you perhaps provide any more insight into the issue you're facing?

 

Thanks,

Luke.

PA OS 8.1.2

I will give more info soon

i have made all you reccomendations

but there is no entry under monitor tab

Hi @Radmin_85,

 

I presume you have a GlobalProtect Gateway License. Could you send a screenshot of your HIP Profile and HIP object and attach the pangps.log file from the GlobalProtect "Collected.zip" from the client machine?

 

https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Collect-Logs-from-GlobalProtect-Clie...

 

Edit: also the output from the command:

 

> debug user-id dump hip-report computer <computername> ip <ip> user <username>

 

Thanks,

Luke.

how i can add here log files collected from GP agent?Screenshot_4.png

Hi @Radmin_85

 

You may upload them to some cloud storage such as Google Drive, OneDrive etc then share the link here.

 

Do you also have a screenshot of your HIP Profiles and Objects on the firewall?

 

Thanks,

Luke.

Hi @Radmin_85,


So HIP checking appears to be running.

 

(T15896) 03/12/18 15:47:53:181 Debug(3976): HipReportThread: HipReportThread starts up.
(T15896) 03/12/18 15:47:53:181 Debug(4002): HipReportThread: wait for HIP report ready event.
(T10032) 03/12/18 15:47:53:181 Debug( 25): create thread 0x798 with thread ID 15916
(T15788) 03/12/18 15:47:53:181 Debug(4208): NetworkConnectionMonitorThread: network connection monitor thread starts.
(T15916) 03/12/18 15:47:53:181 Debug( 167): Start HipCheckThread
(T10032) 03/12/18 15:47:53:181 Debug( 25): create thread 0x794 with thread ID 15908
(T15916) 03/12/18 15:47:53:181 Debug( 210): HipCheckThread started...
(T15916) 03/12/18 15:47:53:181 Debug( 216): HipCheckThread: wait for hip check event for 3600000 ms);

 

However, you're not matching any HIP profiles because you're not able to connect to the GlobalProtect portal.

 

(T10032) 03/12/18 15:47:51:427 Debug(5724): portal status is Invalid portal.

(T10032) 03/12/18 15:47:53:529 Info (6766): Portal config does not exist, try registry/plist

(T10032) 03/12/18 15:47:53:529 Debug(4677): --Set state to Disconnected

 

Can you confirm your GlobalProtect Portal is appropriately configured with an Agent Config? Please follow from Step 5 in the below example documentation.

 

https://live.paloaltonetworks.com/t5/Configuration-Articles/Basic-GlobalProtect-Configuration-with-U...

 

Thanks,

Luke.

 

 

 

I have tested . no event is logged in the HIP Match log  . and also traffic  from smartphone not denied. I suppose  global protect clients not  sending HIP  info  to palo alto.
 

admin@paloalto> debug user-id dump hip-profile-database statistics
 
Total number of hipmask in database: 9
Total number of logout records in database: 75
Total size of hip reports: 1033KB used / 740352KB
 
admin@paloalto> debug user-id dump hip-profile-database ipmapping
 
Total number of ipmappings in database: 0
No record exists or matches!
 
admin@paloalto> debug user-id dump hip-profile-database entry
 
Total number of hipmask in database: 9
Total number of logout records in database: 75
Total size of hip reports: 1033KB used / 740352KB
No record exists or matches!

Is there any commands I can run to display version of GlobalProtec client for all users? The version can be seen from the gui but for just a given user and the same info I can get by running below commands but again this command displays a version for that user only. 

 

debug user-id dump hip-report computer <computer-name> ip <global-protect-assigned-ip> user <username>

 

  • 7858 Views
  • 12 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!