Understanding HIP report processing between GlobalProtect Client and the Gateway (firewall)

• Palo Alto Firewall.
• GlobalProtect(GP) Gateway / Agent
• HIP Check Procedure.

• When the GP Client connects to Portal, it receives configuration with the refresh interval and the configuration of which HIP data needs to be collected from the Client (to be part of the HIP report).  
• GP Client successfully connects to the gateway and sends the "hipreportcheck" message. The "hipreportcheck" message contains the 'md5' sum of the HIP report. 
• The gateway compares the 'md5' sum received from the GP Client and the md5 sum of the local report (if the report had been received from the Client earlier). If the gateway finds a different 'md5' sum, it concludes that the HIP report contents in the GP client are different/updated and requests the HIP report.

<hip-report-needed>yes</hip-report-needed>

• Note that if the Gateway license is not present, the Gateway will respond with the following message, in which it does not request the HIP report and there will no matching against HIP objects and policies, as a result

• Even if the Gateway does not need the HIP report (due to the same 'md5' sum of the HIP report received from the GP Client and present on the gateway), the "hipreportcheck" message is sufficient to refresh the timer for connectivity timeout.