HIP checks are not logged and traffic is allowed when HIP match fails
When a HIP check fails for a GlobalProtect Agent, no event is logged in the HIP Match log. The host successfully connects to the gateway, and the traffic from the host is allowed.
HIP checks that fail do not log an event under Monitor > Logs > HIP Match. Likewise, security policies configured with HIP Profiles do not apply to failed HIP matches. HIP Match events are only logged when connecting hosts match a HIP Profile or a HIP Object. To ensure an HIP event is logged and to control the host’s traffic, create a HIP Object that matches the host type, and control the connected GlobalProtect agent’s traffic with security rules.
To log GlobalProtect connection events for all hosts that are outside of a desired group, in this case all hosts that are NOT members of the “mydomain.local” domain), and to deny traffic for those hosts follow these steps:
- Create a HIP Object based on a negative that will match all objects outside of a desired host group. Go to Objects > GlobalProtect > HIP Objects. Add a new object and specify that the Domain of the connecting host “Is Not” equal to “mydomain.local.”
Hosts that connect, which are are not members of the “mydomain.local” domain, will match this HIP Object, and an event will be logged under Monitor > Logs > HIP Match log.
- Create a HIP Profile and add the HIP Object:
- Create a security policy that controls the traffic from hosts that are not domain members of the “mydomain.local” domain. Create a policy that denies traffic from hosts that match the HIP Profile.
Connect a host with the GlobalProtect Agent that is a not a domain member of “mydomain.local.”
- Verify that a HIP Match event was logged when the host connected by going to Monitor > Logs > Hip Match.
- Go to Monitor > Log > Traffic and verify the host’s traffic is denied by the GP-Deny policy.