User-ID rule to bypass HIP check not matching.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

User-ID rule to bypass HIP check not matching.

L1 Bithead

Hi all,

 

I have a rule to allow certain Global Protect users DNS and RDP traffic by matching the user-id. However, even though it looks like the traffic should match when I view the traffic log it's not?! For some users the rule works fine but others it doesn't match and I can't work it out.

 

Any help would be greatly appreciated 🙂

 

Kevin.

11 REPLIES 11

Cyber Elite
Cyber Elite

@adrianflux,

Would really need to look at the logs to figure this out. You've verified that the user-id is recorded in the denied traffic logs and the rulebase entry properly passes when you do a test security-policy-match? Can you give us an output of the security entry and an example of one of the logs that isn't currently working? 

L3 Networker

Hi ,

 

Check the user-id how is formatted in the logs like :  domain\bob

Then check the traffic logs that you interested and check there the user , it should be something else and that is the reason why 

Then check the security policy to see if you have domain\bob like the user ID .

The HIP collection is taking the username and domain. 

L4 Transporter

Hi all,

 

I have a similar problem. I have some users connect by global protect with HIP Profile that sometimes they have match in one rule and othertimes they have match in another rules. 

 

I still have two rules, one with HIP and one without HIP profile for this reason.

 

I want to delete the rule without HIP profile but not for the moment because I have the doubt that if I don't have it... the traffic can go down as it is still maching on both rules


Can anyone help me?

 

 

@BigPalo are there different HIP profiles specified in the two security policy rules?

No, We have only one HIP profiles specified in the one security policy rule

 

The other rule does not have HIP profile applied

Then it looks like the HIP profile does not match all the time. What do you check with that HIP profile?

Hi,

 

Thanks for your answer...but I think that it is not the problem because users sometimes match in correct rule If we had HIP profile wrong it never work fine , no?

 

I was thinking about the HIP profile because of the topic here where you posted this comment. And also because in the screenshot everything is exactly the same. Another possibility would be an URL category in the rule which makes sometime match one and then again the other rule.

L3 Networker

When the user disconnects from GP there are session that will expire, therefore there is no HIP data at the moment . I have seen in my logs that is matching a "catch" rule DENY for those HIP profiles are not working. 

Hi, thanks for your response, I have checked in my logs but I have not found rule DENY

 

I only see that user change your match for another rule but it is allow rule

 

Regards

L3 Networker

Hi ,

 

Are they RDP with the same account like the login username of GP ? 

Have you defined AD groups in the ACL ? 

 

What username is not matching the RDP and the DNS and have you compared that to the username login ? 

I had the same issue and I deleted the source user AD group because I had users like domain\bob and the RDP was done by domain\admbob. 

 

 

  • 4960 Views
  • 11 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!