Firewall is losing the HIP report for GlobalProtect users within few minutes after upgrading to PAN-OS version 11.0.4
3701
Created On 05/23/24 00:52 AM - Last Modified 05/24/24 20:58 PM
Symptom
- Firewall doesn't show the hip report for the users intermittently.
- Users are unable to match the security policy.
Environment
- Palo Alto NGFW firewalls
- PAN-OS 11.0.4+
- GlobalProtect (GP) App
- HIP-based policy enforcement
- IP-User mapping
Cause
- The username changed back and forth for a given IP due to learning IP-user mappings from different sources. It caused the hip data to be reset upon username change.
- This can be observed in GUI: Monitor > Logs > User-ID, for a given IP, where the username is changed back and forth.
- This issue is happening due to the behavioral change on the current PAN-OS version 11.0.4.
Before PAN-OS version 11.0.4:
Same hip report is reused when username changed by other data sources and the IP remain same that why everything was working even the username got change from different source.
PAN-OS version 11.0.4+:
This fixes the security concern and the wrong hip report won't be used for different user with same IP from the difference source. It caused the hip data to be reset upon username change.
Resolution
- Configure Exclude list for GlobalProtect IP Pool subnet under Agentless User-ID or Window based User-ID agent to block the IP-User mapping on the firewall.
- This will help to keep the IP-User mapping always sourced from GlobalProtect.