Traffic from GlobalProtect Agent fails to match the correct security rule configured with HIP profile

Traffic from GlobalProtect Agent fails to match the correct security rule configured with HIP profile

4059
Created On 07/29/22 01:57 AM - Last Modified 08/08/24 21:41 PM


Symptom


  • Traffic from GlobalProtect Agent does not match the expected security rule configured with HIP profile.
  • HIP Match log shows that the traffic matched the expected HIP profile correctly for the received HIP report.
  • "show user ip-user-mapping" displays the mismatched HIP profile
> show user ip-user-mapping ip x.x.x.x

IP address:    x.x.x.x (vsys1)
User:          user1
From:          GP
Idle Timeout:  10638s
Max. TTL:      10638s
HIP Timestamp: 46677158s
HIP Query:     Disabled
HIP profiles that user belong to (used in policy)
HIP profile(s): HIP-Profile1                       <<<<<<<<<<<<< !!!!
Group(s):      user1(1)

 

Environment


  • GlobalProtect
  • Prisma Access
  • PAN-OS
  • HIP Profile

Cause


Software Issue.

Resolution


  1. The issue is been fixed under PAN-197115 in PAN-OS 10.1.10, 10.2.4 and above.
  2. Upgrade to the fixed versions will resolve the issue.
  3. As a workaround, reduce the number of HIP Profiles in security policy to less than 32.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000CqsPCAS&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language