HIP profile for certificate check with certificate attributes is not working as expected

HIP profile for certificate check with certificate attributes is not working as expected

6320
Created On 06/17/21 19:31 PM - Last Modified 10/11/24 21:40 PM


Symptom


  • HIP profile for certificate check with certificate Attributes is not matching the respective user traffic.
  • Certificate Attributes include subject, issuer etc.
  • Respective HIP profile match being attached to the security policy and still HIP match logs not showing the user traffic.

Environment


  • GlobalProtect HIP match
  • HIP Match logs not displayed

Cause


  • HIP Object to validate the Certificate check, with the certificate attribute value configured plainly as just the common name like below:
          User-added image

Resolution


  1. Check the exact value field of the subject and issuer in between the <value></value> from the HIP report with the below command. Replace the values to match your setup.
> debug user-id dump hip-report computer WIN2-10-MADHU ip 192.168.100.205 user lab\krishna
         User-added image
  1. Navigate to Objects > GlobalProtect > HIP Objects > <hip-object> > Certificate
  2. Use the complete value in the Value field as shown below: 
<entry name="subject"><value>/CN=client-cert</value>
</entry><entry name="issuer"><value>/CN=GlobalProtect</value>
        User-added image
  1. For serial number you can check the following entry :
name="serial-no"><value>22F2A222</value><display-name>

Note: Use the exact value with lower/upper case.
 

Additional Information


  • Along with the above, always verify if the correct certificate profile has been attached to the HIP Object for any kind of HIP log mismatch issues.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000001VfkCAE&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language