Traffic Fails to Match Security Policy with HIP Profile Selected

Traffic Fails to Match Security Policy with HIP Profile Selected

28620
Created On 03/14/19 00:38 AM - Last Modified 01/21/20 22:32 PM


Symptom


  • VPN connection established between client workstation running GlobalProtect and firewall configured with GlobalProtect Gateway
  • GlobalProtect client sends HIP report to Gateway, HIP Match on firewall established
  • Traffic from GlobalProtect client's IP matches security policy with HIP profile configured; session established to process traffic accordingly
  • Moment after, a process on the client triggers domain authentication with a different username, updates security event on domain controller which further updates IP-user-mapping recorded on user ID agent (UIA) or PAN-OS based (agentless) user ID.
  • Firewall learns the updated mapping from user identification, supersedes the original mapping learned from GlobalProtect client login
  • HIP condition soon becomes mismatch, causing new traffic from GlobalProtect client mishandled by other non-HIP-configured policy; HIP profile is still valid at the time
  • Traffic Log indicates traffic not matching correct HIP policy would have no source user information
  • To restore connectivity through firewall user has to log off from GlobalProtect and log back on to re-establish IP-user-mapping and HIP match condition

Environment


  • PANOS 8.0.10
  • GP Agent versions 4.1.1-14 & 4.1.6
  • GlobalProtect Portal and Gateway are configured on firewall
  • HIP objects and profile configured
  • HIP profile selected in security policy
  • User ID is configured to retrieve IP-user-mapping

Cause


  • Information from HIP report is maintained by user ID process, same process that is managing IP-user-mapping and group-user-mapping
  • Information in HIP report is tied to IP-user-mapping from GlobalProtect client; when firewall receives mapping update for the same GlobalProtect client IP, but with a different username, it will supersede the previous record
  • Although GlobalProtect client with established VPN connection would send HIP report to firewall once an hour unless something is changed on corresponding PC (e.g. system setting, installed software), if the corresponding IP-user-mapping is superseded by another data source (e.g. user ID agent), the HIP data for that client would be ignored; traffic from same client would no longer match the security policies with HIP profile selected

Resolution


  1. By using include/exclude list on User ID agent (How the User-ID Agent Include/Exclude List Works) or Agentless User ID setting (How to Configure Include/Exclude List for Agentless User-ID), administrator can exclude the IP pools on GlobalProtect Gateway from user ID.
  2. This action leaves both IP-user-mapping and HIP match to GlobalProtect only as the source.
  3. As result, HIP info on GlobalProtect client would stay valid as long as client's VPN connection established by GlobalProtect is up.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000boKGCAY&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language