Error:
An unexpected error occurred. Please click Reload to try again.
Error:
An unexpected error occurred. Please click Reload to try again.
Sending HIP check report to firewall fails and Global Protect d... - Knowledge Base - Palo Alto Networks

Sending HIP check report to firewall fails and Global Protect disconnects due to inactivity

43735
Created On 04/12/19 03:02 AM - Last Modified 12/19/23 23:00 PM


Symptom


  • GP users getting disconnected as they are not sending HIP report to the firewall and the inactivity timer is kicking in.
  • The user gets logged out due to Reason: user session expired.
User-added image


 
 


Environment


  • Palo Alto Firewalls
  • Supported PAN-OS
  • URL-Filtering
  • Global Protect


Cause


  • Inactivity logout timer is set for users when the gateway does not receive a HIP check from the GP app.
  • This  configured under GUI:Network > Global-protect > Gateway > Agent > Timeout settings.
User-added image
  • Client HIP report may be blocked if URL filtering is applied to outside to outside allow rule. 
  • This can be seen in In URL filtering logs, where some URLs for hipreportcheck are being blocked as unknown and the URL being <GP-GATEWAY-IP>/ssl-vpn/hipreportcheck.esp.
User-added image
User-added image
  • GP client logs display HIP report check failed.
(T1884) 10/04/19 10:04:39:708 Debug(1253): SSL3 alert write:warning:close notify
(T1884) 10/04/19 10:04:39:709 Info (4309): SendNReceive() failed.
(T1884) 10/04/19 10:04:39:709 Debug(4136): Send hip report check failed <<<<


 


Resolution


Solution 1:
  1. Create a new custom URL category and add the GlobalProtect-gateway IP address or the complete URL "<GP-GATEWAY-IP>/ssl-vpn/hipreportcheck.esp" to it.
  2. In the URL filtering profile that is referenced in the security rule, change the action for this new category to alert.
Solution 2:
  1. Add the Gateway IP address or the URL to the allowed-list in URL filtering profile, instead of the above steps.
  • This way the URL should be allowed to go through and the HIP report will be submitted.
  • Once the HIP report is submitted, the inactivity timer will not kick in.
Note: URL filtering applied to a source zone that has external facing interface is not a recommended configuration. Refer CVE 2022-0028. ​​


Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PLXiCAO&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail