HIP Profile not working

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Palo Alto Networks Approved
Palo Alto Networks Approved
Community Expert Verified
Community Expert Verified

HIP Profile not working

L2 Linker

Using Globaprotect to connect remotely. Enabled HIP profile for compliance check. Users get connected even if the endpoints are non-compliant.

I configured HIP profile to check whether remote machines has DLP agent installed. GP gets connected with notification "DLP agent not found". below are the GP logs.

 

-----------------------------

P14072-T17108)Debug( 139): 03/23/21 18:03:31:414 Got hip report in other process ready event.
(P14072-T17108)Debug( 158): 03/23/21 18:03:31:414 Read output from PanGpHip.exe
(P14072-T17108)Debug( 195): 03/23/21 18:03:31:414 write hip file now
(P14072-T17108)Debug( 226): 03/23/21 18:03:31:414 CheckHipInOtherProcess() sets hip report ready event.
(P14072-T17108)Debug( 135): 03/23/21 18:03:31:414 Wait for the ready event of hip report generated in other process.
(P14072-T6184)Debug(6048): 03/23/21 18:03:31:414 HipReportThread: got HIP report ready event.
(P14072-T6184)Debug(6064): 03/23/21 18:03:31:414 HipReportThread: wait for network discover ready event.
(P14072-T6184)Debug(6069): 03/23/21 18:03:31:414 HipReportThread: got network discover ready event.
(P14072-T6184)Debug(8135): 03/23/21 18:03:31:460 use cached deviceSN
(P14072-T6184)Debug(6149): 03/23/21 18:03:31:460 Sending hip report delay max registry setting is -1 seconds
(P14072-T6184)Debug(6151): 03/23/21 18:03:31:460 Set max sending hip report delay to default 1800 seconds
(P14072-T6184)Debug(6167): 03/23/21 18:03:31:460 v3 hip report is encoded
(P14072-T6184)Debug(6182): 03/23/21 18:03:31:460 v4 hip report is encoded
(P14072-T6184)Debug(6205): 03/23/21 18:03:31:460 HIP report v3 md5 digest is d9df91f4e03c9fee9f68707d17649756
(P14072-T6184)Debug(6237): 03/23/21 18:03:31:460 HIP report v4 md5 digest is 4e4b72bd4053b7e9d85e6d08e4b361e
(P14072-T6184)Debug(6265): 03/23/21 18:03:31:460 HipReportThread: network type is external network.
(P14072-T6184)Debug(1706): 03/23/21 18:03:31:460 Send v4 hip report to gateway GATEWAYIP
(P14072-T6184)Debug(4827): 03/23/21 18:03:31:460 Entering SendHipReportToGateway(). Gateway: GATEWAYIP
(P14072-T6184)Debug( 799): 03/23/21 18:03:31:460 m_bScheduleFlag is 1
(P14072-T6184)Debug( 809): 03/23/21 18:03:31:460 m_bScheduleFlag is set to 1
(P14072-T6184)Debug(4852): 03/23/21 18:03:31:460 Gateway GATEWAYIP: now is 1616502811, next hip checking is 0, next hip report check sending time is 1616506404, last hip report check sending time is 1616502804, sending hip delay is 0 ms
(P14072-T6184)Debug(4869): 03/23/21 18:03:31:460 Wait for 0 ms to send hip report check to gateway GATEWAYIP
(P14072-T6184)Debug(4882): 03/23/21 18:03:31:460 Time to send hip report to gateway GATEWAYIP
(P14072-T6184)Debug(3027): 03/23/21 18:03:31:460 Gateway: GATEWAYIP, client IP: LOCALIP
(P14072-T6184)Debug(4899): 03/23/21 18:03:31:460 Hip report head to gateway GATEWAYIP is

(P14072-T6184)Debug(5078): 03/23/21 18:03:31:460 SendHipReportNReceive()
(P14072-T6184)Debug(5100): 03/23/21 18:03:31:460 bUseCCUser=0, ccUserName=, m_userName=vpnpa
(P14072-T6184)Debug(5109): 03/23/21 18:03:31:460 latency report data=&pretunnellatency=184ms&posttunnellatency=172ms
(P14072-T6184)Debug(5114): 03/23/21 18:03:31:460 using https to send hip report check to gateway GATEWAYIP
(P14072-T6184)Debug(8135): 03/23/21 18:03:31:460 use cached deviceSN
(P14072-T6184)Debug(5156): 03/23/21 18:03:31:460 Network discover SN 71 remains same.
(P14072-T6184)Debug( 788): 03/23/21 18:03:31:462 SSL connecting to GATEWAYIP
(P14072-T6184)Debug( 563): 03/23/21 18:03:31:475 Network is reachable
(P14072-T6184)Debug(4742): 03/23/21 18:03:31:850 SSL verify succeed
(P14072-T6184)Debug(1350): 03/23/21 18:03:32:234 OpenSSL alert write:warning:close notify
(P14072-T6184)Debug(5169): 03/23/21 18:03:32:234 Gateway GATEWAYIP, response to the hip report check:

<response status="success">
<hip-report-needed>no</hip-report-needed>
<delay>0</delay>
</response>

(P14072-T6184)Info (5171): 03/23/21 18:03:32:234 sent HIP report check to GATEWAYIP.
(P14072-T6184)Debug(5199): 03/23/21 18:03:32:235 Response status of HIP report check is success, gateway GATEWAYIP
(P14072-T6184)Debug(5201): 03/23/21 18:03:32:235 Hip report check returns success.
(P14072-T6184)Debug(4913): 03/23/21 18:03:32:235 SendHipReportNReceive returns TRUE for gateway GATEWAYIP
(P14072-T6184)Debug(4927): 03/23/21 18:03:32:235 Hip notification is empty in the HIP report check response from gateway GATEWAYIP
(P14072-T6184)Info (4949): 03/23/21 18:03:32:235 Hip report is not needed for gateway GATEWAYIP.
(P14072-T6184)Debug(4986): 03/23/21 18:03:32:235 SSL is disconnected. Returns TRUE.
(P14072-T6184)Debug(1708): 03/23/21 18:03:32:235 SendHipReportToGateway GATEWAYIP returns TRUE.
(P14072-T16960)Debug(2392): 03/23/21 18:03:32:235 Setting debug level to 5
(P14072-T6184)Debug(1142): 03/23/21 18:03:32:236 Display hip report V4 on the UI
(P14072-T6184)Debug(1151): 03/23/21 18:03:32:252 Hip report changed. Include it in status message to client.
(P14072-T6184)Debug(6043): 03/23/21 18:03:32:253 HipReportThread: wait for HIP report ready event.
(P14072-T17108)Debug( 143): 03/23/21 18:03:32:739 Got event for PanGpHip process has quited.
(P14072-T17108)Debug( 338): 03/23/21 18:03:32:739 CheckHip over
(P14072-T17108)Debug( 282): 03/23/21 18:03:32:739 Hip checking is not initiated by clicking resubmit host profile.
(P14072-T17108)Debug( 216): 03/23/21 18:03:32:739 HipCheckThread: wait for hip check event for 3600000 ms);

 

8 REPLIES 8

Cyber Elite
Cyber Elite

@charles07,

So what are you actually expecting when a user doesn't have the DLP agent outside of the notification that you setup? It sounds like your actual HIP checks are working perfectly fine, as your getting your notification, but you are expecting something else. 

If the DLP agent is not found, Globalprotect VPN should not get connected.

@charles07,

So by default there's not a super clean way to manage this. You can use custom checks on the portal agent configuration assuming that the DLP agent rights something in the registry you can check against, which it should. 

Otherwise what you can do is create a security rulebase entry that matches everyone who doesn't have the DLP agent installed and set it to deny all traffic. This would effectively just make it so they aren't able to pass any traffic if they don't have the DLP agent installed. I'd generally recommend at that point that you leave your HIP notification in place so the user knows why their traffic is being dropped, and then use the API to pull these users and forcibly log them out via a scheduled script if you want to go the extra mile. 

 

Thank you @BPry 

does that mean Globalprotect gets connected even if system is non-compliant. Traffic can be denied for non-complaint systems.

GlobalProtect will connect.

Based on your policies configured with HIP, when HIP fails then traffic is not allowed.

So the initial GP connection is not HIP related.

thnak you @sebastianvd 

can the configuration done in such a way, Globalprotect does not get connected if HIP profile fails.

No, i ran into the same question.

First GP connects, that will trigger HIP collection and HIP can be used for traffic policies.

 

(I know this is old but anyway...)

Yes, HIP checks can be enforced on traffic only. The GP client can connect whether compliant or not.

  • 6161 Views
  • 8 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!