HIP Match Logs Are Not Generated When HIP Match fails
52801
Created On 09/27/18 07:23 AM - Last Modified 06/28/24 09:12 AM
Symptom
When a HIP match fails for a GlobalProtect Agent, no event is logged under Monitor > Logs > HIP Match.
Environment
GlobalProtect Gateway
GlobalProtect Agent
Cause
This is expected behavior as HIP Match log shows all of the matches identified by the gateway when evaluating the raw HIP data reported by the app against the defined HIP objects and HIP profiles.
Likewise, security policies configured with HIP Profiles do not apply to failed HIP matches.
Resolution
To ensure an HIP Match event is logged and to control the host’s traffic, create a HIP Object that matches the host type, and control the connected GlobalProtect agent’s traffic with security rules.
Example
To log GlobalProtect connection events for all hosts that are outside an organization (in this case all the hosts that are NOT members of the “mydomain.local” domain), and to deny the traffic coming from those hosts once they are connected through GlobalProtectollow, follow these steps:
- Create a HIP Object based on a negative that will match all objects outside of a desired host group. Go to Objects > GlobalProtect > HIP Objects. Add a new object and specify that the Domain of the connecting host “Is Not” equal to “mydomain.local.”:
- Connected hosts which are are not members of the domain “mydomain.local” will match this HIP Object and an event will be logged under Monitor > Logs > HIP Match.
- Create a HIP Profile and add the HIP Object:
- Create a security policy that controls the traffic from the hosts that are not members of the domain “mydomain.local”. In this case I want to deny the traffic coming from those hosts: