After connecting GlobalProtect, sometimes a user traffic is dropped by the security rule with 'no-hip'

After connecting GlobalProtect, sometimes a user traffic is dropped by the security rule with 'no-hip'

1880
Created On 11/25/22 06:31 AM - Last Modified 05/24/24 20:39 PM


Symptom


  • Security policy is configured with the source user 'unknown' and the source device 'no-hip' to block (deny) the traffic from the GP user when it does not send any hip report.
  • After establishing the GP tunnel, sometimes user's traffic matches this 'no-hip' policy and is dropped.
  • The issue mainly tends to occur when the PC is restarted or returned from sleep mode, especially when any changes happen on the user's hip report by Windows Update.
  • In the GlobalProtect App log , you can see some delays in each process.

PanGPS.log:
It took 55 seconds for PanGPS to get HIP report from PanGpHip

(P5964-T10932)Debug( 278): 04/01/22 08:31:19:372 HipCheckThread: check hip in other process.
...
(P5964-T10932)Debug( 213): 04/01/22 08:32:14:315 CheckHipInOtherProcess() sets hip report ready event.

PanGpHip.log: 
Opswat's initiation took 13 seconds. 
(P14704-T14500)Debug(  60): 04/01/22 08:31:19:590 initOpswat
(P14704-T14500)Debug(1772): 04/01/22 08:31:32:743 Opswat version: 4.3.2668.0
(P14704-T14500)Debug(  81): 04/01/22 08:31:32:743 Opswat is inited.
Microsoft API LoadUserProfileW took 25 seconds. 
(P14704-T14500)Debug(  28): 04/01/22 08:31:32:837 m_bIsRoamingProfile: false 
(P14704-T14500)Debug(  41): 04/01/22 08:31:32:837 Roaming profile is false
(P14704-T14500)Debug( 105): 04/01/22 08:31:32:853 User profile directory is C:\Users\d635438
(P14704-T14500)Debug( 167): 04/01/22 08:31:32:853 profileInfo username d635438, profile path (null), server (null)
(P14704-T14500)Debug(  47): 04/01/22 08:31:57:058 HipCustomCheck(): check registry key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate completed. Exist: yes, Value: (null)
 

Environment


  • GlobalProtect (GP) App
  • Prisma Access for Mobile Users
  • HIP report

Cause


This happens due to GPC-15149 where the GlobalProtect agent waits for Opswat initialization before sending the HIP report to GlobalProtect Gateway.
 

Resolution


Workaround:
  1. Disable/enable the GP App.
  2. Refresh the connection on GP App.
  3. Restart/Reboot the PC.
  4. Sometimes, leaving the connection as it is for about 5-10 minutes resolves the problem.
Resolution:
  1. The issue is resolved under GPC-15149.
  2. Upgrade the GlobalProtect agent 6.0.4+ or 5.2.13+ releases.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000kFM0CAM&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail