06-19-2020 03:20 PM
Hi,
You can get a detail HIP report dump from the CLI.
This command will give you all the users connected to the Global Protect Gateway
> show global-protect-gateway current-user
Below you can see the output for a user connected to GP tunnel:
GlobalProtect Gateway: GP-Gateway (1 users)
Tunnel Name : GP-Gateway-N
Domain-User Name : sos\srazaque
Computer : WIN10-REMOTE
Primary Username : sos\srazaque
Region for Config : 10.0.0.0-10.255.255.255
Source Region : 10.0.0.0-10.255.255.255
Client : Microsoft Windows 10 Enterprise Evaluation , 64-bit
VPN Type : Device Level VPN
Mobile ID :
Client OS : Windows
Private IP : 10.20.30.119
Private IPv6 : ::
Public IP (connected) : 10.101.99.22
Public IPv6 : ::
Client IP : 10.101.99.22
ESP : removed
SSL : exist
Login Time : Jun.19 14:44:23
Logout/Expiration : Jul.19 14:44:23
TTL : 2591695
Inactivity TTL : 10757
Request - Login : 2020-06-19 14:44:23.377 (1592603063377), 10.101.99.22
Request - GetConfig : 2020-06-19 14:44:23.696 (1592603063696), 10.101.99.22
Request - SSLVPNCONNECT : 2020-06-19 14:44:30.246 (1592603070246), 10.101.99.22
You can then use the following command below from the CLI and dump the hip report for the user connection. You will need the user, IP and computer name, which can be collected from the command above.
> debug user-id dump hip-report computer WIN10-REMOTE ip 10.20.30.119 user sos\srazaque
The output will looks as follow:
<?xml version="1.0" encoding="UTF-8"?>
<hip-report>
<md5-sum>1964a64078fc2f95a4c5eda73f390ba</md5-sum>
<user-name>srazaque</user-name>
<domain>sos</domain>
<host-name>WIN10-REMOTE</host-name>
<host-id>43199d79-b2b3-4f66-a33d-cd0f7969970a</host-id>
<ip-address>10.20.30.119</ip-address>
<ipv6-address></ipv6-address>
<generate-time>06/19/2020 14:48:45</generate-time>
<hip-report-version>4</hip-report-version>
<categories>
<entry name="host-info">
<managed>unknown</managed>
<serial-number>VMware-56 4d 6e e3 f0 d0 d8 41-4e ff 01 20 c2 6c 13 a6</serial-number>
<client-version>5.1.3-12</client-version>
<os>Microsoft Windows 10 Enterprise Evaluation , 64-bit</os>
<os-vendor>Microsoft</os-vendor>
<domain>SOS.local</domain>
<host-name>WIN10-REMOTE</host-name>
<host-id>43199d79-b2b3-4f66-a33d-cd0f7969970a</host-id>
<network-interface>
<entry name="{4AB91E94-3200-44F8-B57A-83F98E7EDC11}">
<description>PANGP Virtual Ethernet Adapter</description>
<mac-address>02-50-41-00-00-01</mac-address>
<ip-address>
<entry name="10.20.30.119"/>
</ip-address>
</entry>
<entry name="{4680DD71-B408-4045-98B1-95858E996102}">
<description>Intel(R) PRO/1000 MT Network Connection</description>
<mac-address>00-0C-29-6C-13-A6</mac-address>
<ip-address>
<entry name="192.168.109.134"/>
</ip-address>
<ipv6-address>
<entry name="fe80::fd6e:2175:e8b2:1520"/>
</ipv6-address>
</entry>
<entry name="{AD04D857-4A91-11E9-A74E-806E6F6E6963}">
<description>Software Loopback Interface 1</description>
<mac-address></mac-address>
<ip-address>
<entry name="127.0.0.1"/>
</ip-address>
<ipv6-address>
<entry name="::1"/>
</ipv6-address>
</entry>
</network-interface>
</entry>
<entry name="anti-malware">
<list>
<entry>
<ProductInfo>
<Prod vendor="Microsoft Corporation" name="Windows Defender" version="4.18.1807.18075" defver="1.317.1735.0" engver="1.1.17100.2" datemon="6" dateday="19" dateyear="2020" prodType="3" osType="1"/>
<real-time-protection>yes</real-time-protection>
<last-full-scan-time>n/a</last-full-scan-time>
</ProductInfo>
</entry>
</list>
</entry>
<entry name="disk-backup">
<list>
<entry>
<ProductInfo>
<Prod vendor="Microsoft Corporation" name="Windows Backup and Restore" version="10.0.17763.1"/>
<last-backup-time>n/a</last-backup-time>
</ProductInfo>
</entry>
<entry>
<ProductInfo>
<Prod vendor="Microsoft Corporation" name="Windows File History" version="10.0.17763.1"/>
<last-backup-time>n/a</last-backup-time>
</ProductInfo>
</entry>
</list>
</entry>
<entry name="disk-encryption">
<list>
<entry>
<ProductInfo>
<Prod vendor="Microsoft Corporation" name="BitLocker Drive Encryption" version="10.0.17763.1"/>
<drives>
<entry>
<drive-name>C:\</drive-name>
<enc-state>unencrypted</enc-state>
</entry>
</drives>
</ProductInfo>
</entry>
</list>
</entry>
<entry name="firewall">
<list>
<entry>
<ProductInfo>
<Prod vendor="Microsoft Corporation" name="Windows Firewall" version="10.0.17763.1"/>
<is-enabled>no</is-enabled>
</ProductInfo>
</entry>
</list>
</entry>
<entry name="patch-management">
<list>
<entry>
<ProductInfo>
<Prod vendor="Microsoft Corporation" name="Windows Update Agent" version="10.0.17763.1"/>
<is-enabled>yes</is-enabled>
</ProductInfo>
</entry>
</list>
<missing-patches>
<entry>
<title>2020-01 Update for Windows 10 Version 1809 for x64-based Systems (KB4494174)</title>
<description>Install this update to resolve issues in Windows. For a complete listing of the issues that are included in this update, see the associated Microsoft Knowledge Base article for more information. After you install this item, you may have to restart your computer.</description>
<product>Windows 10</product>
<vendor>Microsoft Corporation</vendor>
<info-url></info-url>
<kb-article-id>4494174</kb-article-id>
<security-bulletin-id></security-bulletin-id>
<severity>2</severity>
<category>update</category>
<is-installed>no</is-installed>
</entry>
<entry>
<title>Security Intelligence Update for Microsoft Defender Antivirus - KB2267602 (Version 1.317.1735.0)</title>
<description>Install this update to revise the files that are used to detect viruses, spyware, and other potentially unwanted software. Once you have installed this item, it cannot be removed.</description>
<product>Microsoft Defender Antivirus</product>
<vendor>Microsoft Corporation</vendor>
<info-url></info-url>
<kb-article-id>2267602</kb-article-id>
<security-bulletin-id></security-bulletin-id>
<severity>2</severity>
<category>definition_update</category>
<is-installed>no</is-installed>
</entry>
</missing-patches>
</entry>
<entry name="data-loss-prevention">
<list>
</list>
</entry>
</categories>
</hip-report>
Let us know if that helps!
Thanks and stay safe
