HIP checks are not logged and traffic is allowed when HIP match fails

HIP checks are not logged and traffic is allowed when HIP match fails

33219
Created On 09/27/18 07:23 AM - Last Modified 02/07/19 23:36 PM


Resolution

 

 

Symptom

When a HIP check fails for a GlobalProtect Agent, no event is logged in the HIP Match log. The host successfully connects to the gateway, and the traffic from the host is allowed.

 

Cause

HIP checks that fail do not log an event under Monitor > Logs > HIP Match. Likewise, security policies configured with HIP Profiles do not apply to failed HIP matches. HIP Match events are only logged when connecting hosts match a HIP Profile or a HIP Object. To ensure an HIP event is logged and to control the host’s traffic, create a HIP Object that matches the host type, and control the connected GlobalProtect agent’s traffic with security rules.

 

Example

To log GlobalProtect connection events for all hosts that are outside of a desired group, in this case all hosts that are NOT members of the “mydomain.local” domain), and to deny traffic for those hosts follow these steps:

 

  1. Create a HIP Object based on a negative that will match all objects outside of a desired host group. Go to Objects > GlobalProtect > HIP Objects. Add a new object and specify that the Domain of the connecting host “Is Not” equal to “mydomain.local.”  User-added image                                                                                                                                                                   
    Hosts that connect, which are are not members of the “mydomain.local” domain, will match this HIP Object, and an event will be logged under Monitor > Logs > HIP Match log.
  2. Create a HIP Profile and add the HIP Object:                                                                                                                           User-added image
  3. Create a security policy that controls the traffic from hosts that are not domain members of the “mydomain.local” domain. Create a policy that denies traffic from hosts that match the HIP Profile.                                                                                 User-added image

 

Verify

Connect a host with the GlobalProtect Agent that is a not a domain member of “mydomain.local.”

  1. Verify that a HIP Match event was logged when the host connected by going to Monitor > Logs > Hip Match.
  2. Go to Monitor > Log > Traffic and verify the host’s traffic is denied by the GP-Deny policy.

 

owner: jmoses



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm83CAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language