Sending HIP check report to firewall fails and Global Protect disconnects due to inactivity

• GP users getting disconnected as they are not sending HIP report to the firewall and the inactivity timer is kicking in.
• The user gets logged out due to Reason: user session expired.

• Palo Alto Firewalls
• Supported PAN-OS
• URL-Filtering
• Global Protect

• Inactivity logout timer is set for users when the gateway does not receive a HIP check from the GP app.
• This  configured under GUI:Network > Global-protect > Gateway > Agent > Timeout settings.

• Client HIP report may be blocked if URL filtering is applied to outside to outside allow rule. 
• This can be seen in In URL filtering logs, where some URLs for hipreportcheck are being blocked as unknown and the URL being <GP-GATEWAY-IP>/ssl-vpn/hipreportcheck.esp.

• GP client logs display HIP report check failed.

(T1884) 10/04/19 10:04:39:708 Debug(1253): SSL3 alert write:warning:close notify
(T1884) 10/04/19 10:04:39:709 Info (4309): SendNReceive() failed.
(T1884) 10/04/19 10:04:39:709 Debug(4136): Send hip report check failed <<<<

1. Create a new custom URL category and add the GlobalProtect-gateway IP address or the complete URL "<GP-GATEWAY-IP>/ssl-vpn/hipreportcheck.esp" to it.
2. In the URL filtering profile that is referenced in the security rule, change the action for this new category to alert.

1. Add the Gateway IP address or the URL to the allowed-list in URL filtering profile, instead of the above steps.

• This way the URL should be allowed to go through and the HIP report will be submitted.
• Once the HIP report is submitted, the inactivity timer will not kick in.