Windows GlobalProtect 应用未执行自定义 HIP 检查,GP 应用日志显示“EVP_DecryptFinal_ex失败”日志
4947
Created On 03/26/24 21:16 PM - Last Modified 05/07/24 13:56 PM
Symptom
GlobalProtect 应用程序无法收集有关自定义检查
的 HIP 数据 计算机名称和用户名相同
PanGpHip.log节目
(P13696-T22624)Info ( 582): 03/20/24 14:55:50:839 EVP_DecryptFinal_ex failed (P13696-T22624)Error( 580): 03/20/24 14:55:50:839 pan_read_text_from_file(): Failed to decrypt file C:\Program Files\Palo Alto Networks\GlobalProtect\HipPolicy.dat (P13696-T22624)Debug( 232): 03/20/24 14:55:50:839 Cannot restore hip policy from file HipPolicy.dat. ... ... (P13696-T22624)Debug( 300): 03/20/24 14:55:50:839 Computer domain is ... (P13696-T22624)Debug( 29): 03/20/24 14:55:52:854 No custom checks needed
PanGPS.log 显示相同的计算机名称和用户名,还可以显示EVP_DecryptFinal_ex失败日志
(P22684-T14764)Info ( 925): 03/20/24 14:55:07:387 Computer name is PALOALTO, OS version is Microsoft Windows 11 Pro , 64-bit ... (P22684-T23844)Debug( 260): 03/20/24 14:55:07:540 start PanGPA in session 1, logged in user count is 1 (P22684-T23844)Debug( 183): 03/20/24 14:55:07:559 Run cmd C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA.exe fromGPS in session 1 as user (P22684-T23844)Debug( 298): 03/20/24 14:55:09:047 start C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA.exe with returned ID 23900 (P22684-T23844)Debug( 25): 03/20/24 14:55:09:047 create thread 0x504 with thread ID 23920 (P22684-T23844)Debug( 107): 03/20/24 14:55:09:047 start CheckPanGpAgentThread 0x504 with client pid 23900 (P22684-T23920)Info ( 127): 03/20/24 14:55:09:051 CheckPanGpAgentThread: started. (P22684-T23828)Debug(1986): 03/20/24 14:55:09:734 Enforcer,found 0 filter object belonging to us. (P22684-T23828)Debug( 41): 03/20/24 14:55:09:734 Roaming profile is true (P22684-T23828)Error( 145): 03/20/24 14:55:09:808 NetUserGetInfo is NERR_UserNotFound (P22684-T23828)Debug( 167): 03/20/24 14:55:09:808 profileInfo username paloalto, profile path (null), server (null) (P22684-T23828)Error(4031): 03/20/24 14:55:09:830 Failed to get attribute value 'Configurations', error code=0 (P22684-T23828)Debug(4039): 03/20/24 14:55:09:830 CPanMSServiceWin::IsGpDisabledForCurUser() - bGpIsDisabled=0. (P22684-T23828)Info ( 202): 03/20/24 14:55:10:468 New Connection(127.0.0.1:50328) with socket(1380) (P22684-T23828)Debug( 349): 03/20/24 14:55:10:468 Socket is connected by C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA.exe (P22684-T23828)Info ( 582): 03/20/24 14:55:10:705 EVP_DecryptFinal_ex failed (P22684-T23828)Debug( 432): 03/20/24 14:55:10:705 Reinit translate with user context. Try again (P22684-T23828)Debug( 41): 03/20/24 14:55:10:705 Roaming profile is false (P22684-T23828)Debug( 167): 03/20/24 14:55:10:768 profileInfo username paloalto, profile path (null), server (null)
Environment
Windows
GlobalProtect 应用
HIP 自定义检查
Cause
如果计算机和用户名相同,GP App 不会从 Windows 操作系统获取正确的解密密钥。
Resolution
更改计算机或用户名