Are bidirectional flows supported for HIP Redistribution?

Are bidirectional flows supported for HIP Redistribution?

1886
Created On 11/15/24 10:03 AM - Last Modified 07/14/25 20:25 PM


Question


Is it supported to have two firewalls both as HIP Redistribution Agents and Clients to each other? 

Environment


  • Palo Alto Firewalls
  • Prisma Access
  • Supported PAN-OS 
  • HIP Redistribution

Answer


  1. No, Bidirectional flows for HIP Redistribution is not supported.
  2. Refer to HIP Redistribution- Prisma Access or HIP Redistribution - On Prem Firewalls.

Note: Bidirectional flows for User-ID redistribution is not recommended as the information is looped back to the originator.

Additional Information


When bidirectional HIP redistribution is configured, this can result in issues such as delays in HIP report redistribution, as well as congestion in useridd and distributord queries and messaging.

Such as the error message below in useridd.log (less mp-log useridd.log):

2024-10-03 11:21:01.008 +0200 Warning: pan_dcom_queue_full(pan_dcom_sock.c:91): conn dist_client: queued receive messages(30183) are more than 5000

Or the error message below also in useridd.log (less mp-log useridd.log):

2024-10-08 14:28:31.378 +0200 Error: pan_user_id_dagent_hip_query_add_i(pan_user_id_agent.c:3732): agents has reached max hip queries(16384), not send to distributord
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000TpKhCAK&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language