GP App initially submits HIP Report after establishing the tunnel but fails to send HIP Report Checks after some time or 24 hours while tunnel remains connected

• GP App establishes a VPN tunnel and successfully sends the HIP Report Check and the HIP Report to the gateway
• However, after some time or 24 hours, the GP App fails to send the HIP Report Check while the tunnel remains up. The PanGPS.log can show one of the following symptoms for HIP Report Check failures based on GP Gateway security policies, for example:

connect failed with 5 seconds timeout (when GP Gateway does not allow TCP connection)

SSL_read() failed: 5 -1 socket error 10054 (when GP Gateway does not allow web-browsing or ssl connection)

SSL_read() no data, closed. error=error:00000005:lib(0):func(0):DH lib (when GP Gateway allows TLS connection but does not respond with HTTP Response due to routing or NATing unexpectedly)

• The GP Gateway's Monitor Log > GlobalProtect Logs do not show any gateway-hip-check and gateway-hip-report events during the time of failures
• The GP Gateway does not show any Traffic Log from the client's public IP address to the Gateway IP address
• GP Portal Config Refresh is configured with 24 hours
• Split-tunneling with Include Domain is configured for the company's domain with wildcard (e.g. *companydomain.com), and the GP Portal and Gateway FQDN is part of the company domain (e.g. gp.companydomain.com), which is not configured in the Exclude Domain

GP App
PAN-OS
Domain-based Split Tunneling is configured

When domain-based split-tunneling is configured with a wildcard company domain entry in the Include Domain (e.g., *companydomain.com) and the GP Portal and Gateway FQDN address is part of the company domain (e.g., gp.companydomain.com) but not configured in the Exclude Domain, the HIP Report Checks will start failing AFTER the client system sends a DNS Query for GP Portal or Gateway FQDN address (e.g. gp.companydomain.com) and the Split Tunnel filter driver binds the GP Portal/Gateway's resolved IP address to the GP NIC tunnel adapter due to matching the Include Domain.

Hence, subsequent HIP Report Checks from the GP App will be sourced from the GP NIC's IP address and go via tunnel to the GP Gateway (instead of sourcing from the Physical adapter and going via the Internet to the GP Gateway).

GP Gateway's Security Policies might not allow connections from GP NIC's Source IP Address to the GP Gateway's Destination Address; therefore, HIP Report Check connections could fail.

NOTE: The issue could trigger, for example, if the end-user opens GP Portal/Gateway address in the web-browser, or ping GP Portal/Gateway address, or do nslookup, or GP App does Portal Config Refresh after 24 hours - all of these events/actions send a DNS Query to resolve the GP Portal/Gateway address and Split-tunneling driver can bind the resolved IP address to GP NIC due to Include Domain matching.

Add the GP Portal and Gateway addresses in the Exclude Domain list under the Domain and App-based split-tunneling configuration so HIP Report Checks and HIP Reports TLS connections will be sourced from the physical adapter via internal to the GP Gateway firewall.