How Does the HIP Mechanism Work in GlobalProtect?
86378
Created On 04/08/19 18:36 PM - Last Modified 10/22/23 20:08 PM
Question
How does the HIP mechanism work in GlobalProtect?
Environment
- Palo Alto Firewall
- Supported PAN-OS
- Global Protect Configured
- HIP Check mechanism
Answer
Client Side:
- GlobalProtect works with Opswat to get information regarding various 3rd party software.
- When the client connects to the gateway, the GlobalProtect client generates a HIP-report from the client.
- General cutoff time for HIP generation is 20 seconds.
- If the client cannot complete HIP report for all items, it will use it for whatever was completed and uncompleted items will use the previously cached HIP report if available, and then it sends the report to the gateway.
- In the background, it continues to finish the HIP report and If the HIP report was different from the previously sent HIP report, it will send the new HIP report to the gateway immediately.
- If the HIP report is the same as the previous one, it will not send the HIP report.
- If there was no previous cache for the HIP report and GlobalProtect client only finishes the HIP report partially within 20 seconds, then it will send the partially completed HIP report to the gateway and continue to work in the background to get the full report. Then it will be forwarded to the gateway.
Gateway Side
- The gateway will receive the full HIP report (i.e., it will receive everything that the GlobalProtect client collected). Note that this report doesn't depend on the configured HIP objects and HIP profiles on the gateway. HIP Report is saved in this file: /opt/panlogs/global-protect/hip_report_base
- The gateway then with the help of "GPdata-file" runs all the HIP objects and HIP profiles configurations against the HIP report that the GlobalProtect client has submitted (GUI: Device > Dynamic Updates > GPDatafile).
- GUI: Monitor > HIP match logs will show all those HIP objects and profiles that matched the match conditions configured in the HIP object and profile.
- If we do not see any particular HIP object and profile that was configured in HIP match logs, it means that the client did not match that particular HIP object and profile. So, there is no direct way to see all the HIP objects and profiles the client did NOT match.
- The only way to find them is by checking the logs to see "All configured profiles/objects -minus-All HIP objects/profiles that are found in HIP match logs."