Understanding HIP report processing between GlobalProtect Client and the Gateway (firewall)
38980
Created On 07/14/20 14:25 PM - Last Modified 05/19/21 06:18 AM
Objective
The objective of this article is to provide a brief understanding of HIP report processing between GP Client and the Gateway
Environment
- Palo Alto Firewall.
- GlobalProtect(GP) Gateway / Agent
- HIP Check Procedure.
Procedure
By default, the HIP check interval is 1 hour (3600000 ms).
Below is the sequence of events explaining how the HIP report the processing between GP Client and the Gateway (firewall) works :
- When the GP Client connects to Portal, it receives configuration with the refresh interval and the configuration of which HIP data needs to be collected from the Client (to be part of the HIP report).
- GP Client successfully connects to the gateway and sends the "hipreportcheck" message. The "hipreportcheck" message contains the 'md5' sum of the HIP report.
- The gateway compares the 'md5' sum received from the GP Client and the md5 sum of the local report (if the report had been received from the Client earlier). If the gateway finds a different 'md5' sum, it concludes that the HIP report contents in the GP client are different/updated and requests the HIP report.
<hip-report-needed>yes</hip-report-needed>
- Note that if the Gateway license is not present, the Gateway will respond with the following message, in which it does not request the HIP report and there will no matching against HIP objects and policies, as a result
<hip-report-needed>no</hip-report-needed>
- Even if the Gateway does not need the HIP report (due to the same 'md5' sum of the HIP report received from the GP Client and present on the gateway), the "hipreportcheck" message is sufficient to refresh the timer for connectivity timeout.