04-30-2025 01:55 PM
Seeing a strange issue where the wrong HIP Profile is being used to check HIP compliance.
We have two GP gateways, one for staff and one for contractors. To match that we have two HIP Profiles doing different checks for each gateway.
The contractor one works fine but the staff one is performing HIP checks on the contractor HIP profile, even though the staff HIP profile is what is defined on the Staff gateway.
Screenshots below to try and illustrated the issue.
Staff Gateway with Staff HIP Profile attached.
HIP Match logs show the incorrect HIP objects and profile is being checked:
(The user is 100% connecting to the staff gateway, not the contractor gateway)
CLI shows user is tied to the Contractor HIP profile
Does anyone know why the HIP profile attached to the GP gateway is not being applied to users that are connecting?
PANOS: 11.1.4-h7
GP: 6.2.7
Thanks!
Shannon
04-30-2025 02:26 PM
From what you've described this is working exactly as expected. That HIP notification that you have shown in your screenshot is just that, you're specifying whether a matching HIP profile should trigger a notification for connected agents. You aren't limiting that gateway to that HIP profile if that was your intent. You could utilize config selection criteria at the portal to direct your contractors to a certain gateway or your staff to a certain gateway (whether that be through groups or actual device/custom checks) if you really want to maintain a single portal. Config selection can't utilize a HIP profile, however through custom checks you could potentially be grabbing registry keys or plists that you are also using as part of a HIP object.
HIP objects and HIP profiles that are configured are not themselves limited to any particular gateway, they'll all be analyzed and show up in your HIP match logs. Unless the connected gateway has a HIP notification configured or that HIP Profile is utilized as matching criteria somewhere in the rulebase it doesn't actually matter however. Assuming that you have different gateways because you're directing these users to different zones and having them match different policies, this doesn't really come into play outside of maybe not being exactly what you were expecting when you were looking at the logs.
It sounds like there's maybe just some general confusion on what a HIP Notification configuration actually does and how HIP objects and profiles are analyzed. I'm not entirely positive what you are attempting to do here, so I can't offer much help outside of saying that everything is functioning as designed but maybe not how you intend. Sometimes you just have to be more deliberate in your profile configuration then people think they need to be, which also means you may need to drastically expand the number of objects you have configured. Remember that you can also utilize a profile in the criteria of another profile, I see many people not making use of that feature as well when sometimes that's the easiest way to get to what you actually want to do.
Unfortunately once you start diving into HIP objects/profiles and how you would utilize them to accomplish what you actually want, the conversation becomes complicated relatively quickly since we don't have the full picture of your existing configuration. If you provide exactly what you are intending to do someone might be able to give you a rough outline of how they would go about doing it, but without full insight into what you already have there's limited guidance that can be offered with the context of your environment.
04-30-2025 02:38 PM
Thanks for that. Let me try and explain the setup and intent better.
We have 2x GP portals (staff and contractors). Each portal has an associated gateway. There is a one-to-one mapping between the staff portal and the staff gateway, and the contractor portal and the contractor gateway.
We have unique HIP Objects defined to check connecting clients. These HIP objects are different for staff and contractors. The HIP objects are bundled into HIP profiles. There is a HIP profile for users connecting to the staff GP, and a separate HIP profile for users connecting to the contractor GP.
The contractor GP gateway has the Contractor HIP Profile attached under the HIP notifications, and the staff GP gateway has the Staff HIP Profile attached under the HIP notifications.
When I look at the HIP match logs for contractors I can see all the contractor HIP checks being performed everything is working as expected.
For staff (connecting to the Staff GP Portal/Gateway) the only HIP checks performed are the contractor checks. None of the Staff HIP Objects (and associated profile) are being checked.
Because the Staff HIP checks are not being performed users are getting the "not-match" HIP notification pop up.
I guess the question is why are the Staff HIP checks not being performed?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
