Domain information not included in the HIP report

14009

Created On 02/25/21 10:46 AM - Last Modified 07/10/21 02:11 AM

HIP

HIP Match Log

Mobile Users

GlobalProtect

Symptom

When users connect with GlobalProtect, the GP agent on the client machine will generate a HIP report and send it to the Gateway.
One can configure different HIP objects and profiles on the Gateway, and include a check for Domain information.
These HIP profiles can be used as a match condition in the security rules.
If domain information is missing from the HIP report then users will not hit the expected security rule and their traffic might get denied by the 'Clean-Up' rule.

In the non-working scenario, we can see that 'Domain' information is missing under 'host-info'

In the working scenario, we can see that 'Domain' information is present under 'host-info'

One can check the HIP report sent by the client machine as shown below:

PA-VM> debug user-id dump hip-report user phristov-lab\pavel-domain computer TEMPLATE-PC ip 192.168.99.11
<snip> 
                <entry name="host-info">
                        <managed>unknown</managed>
                        <serial-number>VMware-42 38 e2 c0 80 c2 e2 27-62 08 ab 02 8b 01 d7 d2</serial-number>
                        <client-version>5.0.4-16</client-version>
                        <os>Microsoft Windows 7 Enterprise Edition Service Pack 1, 64-bit</os>
                        <os-vendor>Microsoft</os-vendor>
                        <domain>phristov-lab.com</domain>
                        <host-name>TEMPLATE-PC</host-name>
                        <host-id>99584afe-4060-4eba-8640-0dbfd3e0d2f5</host-id>

We can see the domain is empty for the non-working scenario (below):

PA-VM)> debug user-id dump hip-report user phristov-lab\pavel-nodomain computer TEMPLATE-PC ip 192.168.99.10
<snip>
                <entry name="host-info">
                        <managed>unknown</managed>
                        <serial-number>VMware-42 38 ae 36 03 e4 a3 5c-79 c6 28 8c d7 32 ca d6</serial-number>
                        <client-version>5.1.0-75</client-version>
                        <os>Microsoft Windows 7 Enterprise Edition Service Pack 1, 64-bit</os>
                        <os-vendor>Microsoft</os-vendor>
                        <domain></domain>
                        <host-name>TEMPLATE-PC</host-name>
                        <host-id>99584afe-4060-4eba-8640-0dbfd3e0d2f5</host-id>

Note: Replace the domain, IP, and computer name to match your network.

Environment

Palo Alto Firewall.
Any PAN-OS.
GlobalProtect (GP) Agent.
GlobalProtect Gateway.
HIP Report.

Cause

The GlobalProtect Client system has not joined a domain.

One can use cmd command systeminfo | findstr /B /C:"Domain" to verify the computer domain.
Non-working scenario:

C:\Windows\system32>systeminfo | findstr /B /C:"Domain"
Domain:                    WORKGROUP

WORKGROUP means the computer is not part of a domain but a workgroup instead.

Working scenario: The computer has joined the working domain.

C:\Windows\system32>systeminfo | findstr /B /C:"Domain"
Domain:                    phristov-lab.com

Alternatively, one can navigate to Control Panel > System > Change Settings (under Computer name, domain, and workgroup settings) > Change... (under Computer Name)

Working vs Non-Working
User-added image

Resolution

To resolve this issue ensure the Client machine has joined the AD Domain. To join the domain, Refer to Microsoft Doc

Additional Information