HIP reports are not sent to the GlobalProtect Gateway

• There are HIP match based security rules to control traffic for global protect users.
• The rules aren't matching  and it is identified that there is no HIP report available on the gateway for the clients.
• The issue is affecting all the users for the specific gateway and those who are matching a specific agent config.

Triage HIP issue based on the troubleshooting article How to Troubleshoot HIP Match Issues

• The same PC when connected to another GP gateway or Prisma tenant works just fine with HIP reports, logs can be seen for that user. This isolates that the issue is not with the user machine.
• There are no block logs from GP client's public IP to gateway's public IP. 
• Issue persists even after removing all 3rd party proxy and security softwares from the client. 
• Even if the client attempts to submit the HIP report manually, it does not work. The PanGPS logs below indicate the client is not submitting the report even for manual submission. (Enable dump level log on GP client)

Dump 02/01/21 10:15:50:038 Received following message from UI
<request><type>hip</type></request>

Debug 02/01/21 10:15:50:045 CheckHipMissingPatchInOtherProcess(): Starting process PanGpHipMp.exe
Debug02/01/21 10:16:24:978 Got hip report in other process ready event.
<hip-report>
	<generate-time>02/01/2021 10:16:24</generate-time>

Debug 02/01/21 10:16:24:978 HipReportThread: got HIP report ready event.
Debug 02/01/21 10:16:24:979 HipReportThread: wait for network discover ready event.
Debug 02/01/21 10:16:25:127 HipReportThread: network type is unknown network.

• Palo Alto Firewall or Prisma Access Firewall.
• Supported PAN-OS.
• GlobalProtect configured
• HIP Check enabled.

• Check the PanGPS for following logs.

Debug: 01/31/21 18:44:42:963 NetworkDiscoverThread: Discover external network.
Debug: 01/31/21 18:44:42:963 gateway 0 of us-east-g-customer.gw.gpcloudservice.com is manual select only, will not be in rediscover list
Debug: 01/31/21 18:44:42:963 gateway 1 of us-southeast-customer.gw.gpcloudservice.com is manual select only, will not be in rediscover list
Debug: 01/31/21 18:44:42:963 There is no gateway suitable to discovery
Debug: 02/01/21 10:09:58:418 --Set state to Connected
Debug: 02/01/21 10:09:58:540 Tunnel is created with the gateway us-southeast-customer.gw.gpcloudservice.com

Debug: 02/01/21 10:09:59:445 HipReportThread: network type is unknown network.
Debug: 02/01/21 10:09:59:447 HipReportThread: wait for HIP report ready event.

• The logs above indicate that the network discovery for external network and gateway is failing. The "no gateway suitable" indicates problem with the configuration.
• Further the HIP logs show the network type is unknown indicating the HIP report will not be sent. Check the connect method from portal config or from PanGPS logs if it is set to user-logon. 

Info: 01/29/21 13:43:26:411 Connect method is user-logon

1. The connect method user-logon cannot be used when all the external gateways listed in configuration are in mode manual only (Step 7 -7). 
2. This is a misconfiguration: Either of the 2 options below will help fix the issue. 

•  Configure On-Demand connect method.
•  Set the gateways with some priority and remove manual only mode. (They can still be made available for manual connection so user can select the gateway)

3 Mar 23 (Vijay) - Article updated with Salman and published external.