GP 发送失败HIP向GlobalProtect网关;从而影响HIP基于policy执法
9393
Created On 10/20/22 10:49 AM - Last Modified 06/15/23 07:49 AM
Symptom
后GlobalProtect客户端建立隧道(IPsec 或SSL) 和GlobalProtect网关,GPC不发送 HIPreportcheck 消息,也不会导致发送 HIPreport。
- 最终,主机状态不会发送到GlobalProtect网关
- 没有HIP在网关上报告,用户通过网关访问资源会受到影响,因为安全策略配置了主机状态以匹配
在pan_gp_event.log , 隧道创建后,没有相关事件HIP
[Info ]: Portal login completed with address portal.abc.com and conect method of user-logon. [Info ]: Network discovery started. [Info ]: Manual Gateway login finished with address gateway.abc.com and user username. [Info ]: IPSec tunnel creation finished with Gateway gateway.abc.com
在PanGPS.log ,可以注意到序列事件,
- 这globalprotect隧道建立
- HIP 生成报告并写入文件,就好了
- HIP报告线程, 发现网络类型为未知
- 不发送 HIPreportcheck,最终也不发送 HIPreport
# the globalprotect tunnel is established and the status is connected (P5928-T17004)Debug( 278): HipCheckThread: check hip in other process. (P5928-T17004)Debug( 306): CheckHipInOtherProcess() (P5928-T17004)Debug( 310): Need to collect hip data (P5928-T14596)Dump (1030): status is Connected # the HIP report is read from PanGpHip & written to file -- so, the host state collection on the machine goes well (P5928-T17004)Debug( 140): Got hip report in other process ready event. (P5928-T17004)Debug( 159): Read output from PanGpHip.exe (P5928-T17004)Debug( 170): >>>CheckHip: hip report head size 11204 (P5928-T17004)Debug( 188): >>>CheckHip: total bytes read: 11204 (P5928-T17004)Debug( 198): write hip file now # HipReportThread performs discovers that the "network type" is unknown (P5928-T17004)Debug( 216): CheckHipInOtherProcess() sets hip report ready event. (P5928-T17004)Debug( 136): Wait for the ready event of hip report generated in other process. (P5928-T8540)Debug(6338): HipReportThread: got HIP report ready event. (P5928-T8540)Debug(6354): HipReportThread: wait for network discover ready event. (P5928-T8540)Debug(6359): HipReportThread: got network discover ready event. (P5928-T8540)Debug(6431): Sending hip report delay max registry setting is -1 seconds (P5928-T8540)Debug(6433): Set max sending hip report delay to default 1800 seconds (P5928-T8540)Debug(6449): v4 hip report is encoded (P5928-T8540)Debug(6472): HIP report v4 md5 digest is 9cabcc7b4d2d86a1666ddfe51fd25e4 * (P5928-T8540)Debug(6500): HipReportThread: network type is unknown network. (P5928-T8540)Dump (1030): status is Connected # the HIP report is not sent to the Gateway eventhough the Client is still connected; any access to resources via Gateway fails since it does not match the expected policy
- 重新提交主机配置文件GlobalProtect也无济于事;重新提交按上述顺序运行,并在 HipReportThread 将网络类型识别为未知后立即停止
Environment
GlobalProtect 网关上Prisma Access或在前提
- HIP 基于安全policy执法
- 笔记:HIP内部评估GP网关需要许可证
Cause
这里的问题主要是与“联系”内部主机检测(IHD )”来自网络发现阶段。
- 默认情况下,GlobalProtect网关需要知道是否HIP报告是为内部或外部网络匹配正确的policy.
- 由于没有概念HIP为未知网络类型发送报告,HipReportThread 不会继续使用 hipreportcheck 和 hireport。
(P5928-T20596)Debug(1943): Internal host detection is not defined (P5928-T20596)Debug(5881): NetworkDiscoverThread: network type is unknown. (P5928-T20596)Debug(5889): NetworkDiscoverThread: Discover internal network. (P5928-T20596)Info ( 376): Gateway count is 0 for internal network. * (P5928-T20596)Error(5922): NetworkDiscoverThread: UNKNOWN_NETWORK (internal host detection is not set) and internal gateway list is empty. (P5928-T20596)Debug(5967): NetworkDiscoverThread: Discover external network.
Resolution
1.GlobalProtect客户端需要知道如何确定网络类型(内部/外部)。 所以,启用内部主机检测在门户代理配置上。
- 虽然内部主机检测不是强制配置,但它被认为是最佳实践并避免了这些极端情况
Additional Information
在理想情况下(当网络类型为“已知的"), HipReportThread 继续触发报告检查消息,然后根据网关的响应,触发发送报告.
- 注意:用户连接到同一个GlobalProtect网关并与未启用内部主机检测的相同门户代理配置连接,有时,网络发现可以正确返回,与上述不同。 (这可能需要工程讨论,但是,IHD启用,这种稀有性将不会被看到)
- 同时,此问题可能特别针对连接方法和网关类型的选择组合