GP fails to send HIP report to the GlobalProtect Gateway; thereby impacting HIP based policy enforcement
10441
Created On 10/20/22 10:49 AM - Last Modified 06/15/23 07:49 AM
Symptom
After GlobalProtect Client establishes the tunnel(either IPsec or SSL) with GlobalProtect Gateway, the GPC does not send HIPreportcheck message, nor does it lead to sending HIPreport.
- eventually, the host state is not sent to the GlobalProtect Gateway
- with no HIP report on the gateway, the user's access to resources via Gateway is impacted, as security policies are configured with host-state to match against
In pan_gp_event.log, after tunnel creation, there are no events related with HIP
[Info ]: Portal login completed with address portal.abc.com and conect method of user-logon. [Info ]: Network discovery started. [Info ]: Manual Gateway login finished with address gateway.abc.com and user username. [Info ]: IPSec tunnel creation finished with Gateway gateway.abc.com
In PanGPS.log, a sequence events can be noticed,
- the globalprotect tunnel gets established
- HIP report is generated and is written to file, just fine
- HIPReportThread, discovers the network type to be unknown
- HIPreportcheck is not sent and eventually, HIPreport is not sent either
# the globalprotect tunnel is established and the status is connected (P5928-T17004)Debug( 278): HipCheckThread: check hip in other process. (P5928-T17004)Debug( 306): CheckHipInOtherProcess() (P5928-T17004)Debug( 310): Need to collect hip data (P5928-T14596)Dump (1030): status is Connected # the HIP report is read from PanGpHip & written to file -- so, the host state collection on the machine goes well (P5928-T17004)Debug( 140): Got hip report in other process ready event. (P5928-T17004)Debug( 159): Read output from PanGpHip.exe (P5928-T17004)Debug( 170): >>>CheckHip: hip report head size 11204 (P5928-T17004)Debug( 188): >>>CheckHip: total bytes read: 11204 (P5928-T17004)Debug( 198): write hip file now # HipReportThread performs discovers that the "network type" is unknown (P5928-T17004)Debug( 216): CheckHipInOtherProcess() sets hip report ready event. (P5928-T17004)Debug( 136): Wait for the ready event of hip report generated in other process. (P5928-T8540)Debug(6338): HipReportThread: got HIP report ready event. (P5928-T8540)Debug(6354): HipReportThread: wait for network discover ready event. (P5928-T8540)Debug(6359): HipReportThread: got network discover ready event. (P5928-T8540)Debug(6431): Sending hip report delay max registry setting is -1 seconds (P5928-T8540)Debug(6433): Set max sending hip report delay to default 1800 seconds (P5928-T8540)Debug(6449): v4 hip report is encoded (P5928-T8540)Debug(6472): HIP report v4 md5 digest is 9cabcc7b4d2d86a1666ddfe51fd25e4 * (P5928-T8540)Debug(6500): HipReportThread: network type is unknown network. (P5928-T8540)Dump (1030): status is Connected # the HIP report is not sent to the Gateway eventhough the Client is still connected; any access to resources via Gateway fails since it does not match the expected policy
- resubmitting Host Profile from GlobalProtect does not help either; the resubmission runs through the above sequence and stop right after HipReportThread identifying the network type as unknown
Environment
GlobalProtect gateways on Prisma Access or On Premise
- HIP based security policy enforcement
- note: HIP evaluation on On Premise GP Gateways requires License
Cause
The issue here primarily ties with "Internal Host Detection (IHD)" from the Network Discovery stage.
- By default, the GlobalProtect gateway needs to know if the HIP report is for internal or external network to match the correct policy.
- As there is no concept that a HIP report is sent for unknown network type, HipReportThread does not proceed forward with hipreportcheck & hipreport.
(P5928-T20596)Debug(1943): Internal host detection is not defined (P5928-T20596)Debug(5881): NetworkDiscoverThread: network type is unknown. (P5928-T20596)Debug(5889): NetworkDiscoverThread: Discover internal network. (P5928-T20596)Info ( 376): Gateway count is 0 for internal network. * (P5928-T20596)Error(5922): NetworkDiscoverThread: UNKNOWN_NETWORK (internal host detection is not set) and internal gateway list is empty. (P5928-T20596)Debug(5967): NetworkDiscoverThread: Discover external network.
Resolution
1. GlobalProtect Client needs to know how to determine the network type (internal/external). So, enable Internal Host Detection on Portal Agent Config.
- while Internal Host Detection is not a mandatory config, it is considered as a best practise and avoids these corner cases
Additional Information
In an ideal scenario(when network type is "known"), the HipReportThread proceeds ahead to trigger hipreportcheck message and then based on the response from Gateway, it triggers sending hipreport.
- note: with users connecting to the same GlobalProtect gateway & connecting with the same Portal Agent Config that do not have Internal Host Detection enabled, sometimes, the network discovery can return correctly unlike the above. (this may require Engineering discussion, however, with IHD enabled, this rareness will not be seen)
- at the same time, this issue can occur specially for select combination of connect-method & gateway-type