How to generate a HIP Match Log if a HIP profile fails to match

• An entry is generated in the HIP Match Log of a gateway firewall whenever a GlobalProtect user's HIP report matches a configured HIP profile.
• This document describes how to configure a log entry to also generate if the user's report fails to match the intended HIP profile.

• Any Palo Alto Networks firewall
• PAN-OS 7.1 and newer
• GlobalProtect gateway configured with HIP checks

1. Under Objects > GlobalProtect > HIP Profiles, identify the HIP Profile that your users should match.
2. Inspect the HIP Profile and copy the match criteria:
   

3. Create a new HIP profile with a name that will indicate the user failed to match the right HIP profile. Add the same match criteria but use the "not" keyword to negate all existing logic. In this example we used the name "windows_nomatch" to indicate the user did not match the windows HIP profile:
   
4. Commit

Once the new HIP profile "nomatch" is created, all incoming user hip reports will be evaluated against it. It is not necessary to add the new hip profile to any security policy rules. As the following document explains (in Step 6), all configured HIP profiles are evaluated at the moment when a HIP report is submitted—not when security rules are matched:
https://docs.paloaltonetworks.com/globalprotect/9-0/globalprotect-admin/host-information/configure-hip-based-policy-enforcement

Now the HIP Match Logs (Monitor > Logs > HIP Match) will log an entry "nomatch" if a user connects and fails to match the proper HIP profile.