Troubleshoot HIP Issues
Focus
Focus
GlobalProtect

Troubleshoot HIP Issues

Table of Contents

Troubleshoot HIP Issues

Steps to troubleshoot whether a HIP issue is on the GlobalProtect client side or on the server side.
Where Can I Use This?What Do I Need?
  • Prisma Access
  • GlobalProtect Subscription
  • Prisma Access Mobile Users license (for use with Prisma Access)
  • GlobalProtect Gateway license
HIP issues usually occur when the GlobalProtect app endpoint posture evaluation (products installed, custom checks, encryption and backup settings, and more) doesn't match expected HIP objects and profiles, causing the traffic coming from the GlobalProtect client to match unexpected security policies. HIP issues also occur when vendors are not supported by OPSWAT module used by GlobalProtect app for HIP. When the GlobalProtect app evaluation does not match HIP on the GlobalProtect gateway side, end users experience restricted or no access based on the configured security policy. HIP issues are most often on the client side, such as the OPSWAT module not evaluating some product or version properly. Issues on the GlobalProtect gateway side are mainly misconfigured HIP objects and profiles, or problems with HIP redistribution.
Use the following steps to identify or narrow down whether a HIP issue is on the GlobalProtect client side or on the firewall or GlobalProtect Gateway side.
  1. Ensure that the GlobalProtect app has no issue with identifying the specific HIP attributes or software, such as: firewall, anti-malware, and more.
    Using anti-malware as an example, each GlobalProtect app version has a fixed OPSWAT database. If a new anti-malware product or version is released, the currently installed GlobalProtect app might not be able to detect it or, in some cases, may have reduced detection functionality. Refer to the OPSWAT chart of supported products to verify if a new anti-malware product is supported. If it's supported but not being detected, you can try installing the latest GlobalProtect app.
    1. From the GlobalProtect app, select SettingsHost Information Profile.
    2. Check the exact HIP category.
    3. If the anti-malware product is unidentified, try installing a new version of the GlobalProtect app that contains an updated OPSWAT database version if available. You can also try checking the GlobalProtect app release notes. When the GlobalProtect app is updated, the release notes for the new version lists the anti-malware products for which OPSWAT detection capability is updated or fixed based on issues reported by customers.
  2. Ensure that GlobalProtect app has sent the HIP report with the endpoint posture information.
    1. Verify if the GlobalProtect app passed the report to the GlobalProtect gateway firewall after connecting successfully.
      • If the HIP process gets stuck on the GlobalProtect app, it can eventually cause the app to disconnect due to Idle Timeout expiry if the PAN-OS version is 10.0 or below (which should be refreshed on each hipreportcheck.esp message).
      • Sometimes a delay in completing the HIP report comes from evaluating Missing Patches (PanGpHipMp) as this process is time consuming. Keep in mind that a partial HIP report is sent after the configured “Max Wait Time” (default 20s), and the full report is sent after it's ready.
  3. Ensure that the gateway or firewall has received the HIP report.
    1. Verify if the HIP report exchange happened by checking MonitorLogsGlobalProtect on the gateway. If yes, you can also verify the following:
      • Check for corresponding HIP objects and profiles matched from MonitorLogsHIP.
      • Select the magnifying glass on each object or profile to see the full report.
    2. If you are a Prisma Access customer, logs are forwarded by default to CDL. View the logs in the embedded Log Viewer in the SASE platform or the embedded Explore in CDL. Further details about Explore.
    3. If you are an NGFW customer, verify if the firewall received the HIP report from the GlobalProtect app by running the following commands from the firewall:
      The following example provides the details on the Computer name (PAN00965), HIP profile name (Hip-Profile) Matching condition, user (admin), and IP allocated (172.24.10.1). The user name format could be different (email address, username, netbios\username). If you don't type the correct user name format, the output will be empty. In the output, look for the HIP profiles configured for the PC PAN00965.
      > show user hip-report computer PAN00965 user admin ip 172.24.10.1
      <?xml version="1.0" encoding="UTF-8"?> <hip-report> <user-name>admin</user-name> <host-name>PAN00965</host-name> <ip-address>172.24.10.1</ip-address> <generate-time>10/29/2012 16:51:17</generate-time> <categories> <entry name="host-info"> <client-version>1.1.7-11</client-version> <os>Microsoft Windows 7 Enterprise Edition Service Pack 1, 32-bit</os> <os-vendor>Microsoft</os-vendor> <host-name>PAN00965</host-name> <network-interface> <entry name="{7383A4FF-0140-4E4C-B70F-0D30438851C9}"> <description>PANGP Virtual Ethernet Adapter</description> <mac-address>02-50-41-00-00-01</mac-address> <ip-address> <entry name="172.24.10.1"/> </ip-address> </entry> <entry name="firewall"> <list> <entry> <ProductInfo> <Prod name="Microsoft Windows Firewall" version="7" vendor="Microsoft Corp."> </Prod> <is-enabled>yes</is-enabled> </ProductInfo> </entry> </list> </entry> <entry name="disk-backup"> <list> <entry> <ProductInfo>
    4. If there is a delay in the GlobalProtect app sending the HIP report, the gateway will use the cache file (hip_report_base) until the new report is sent and policies are processed based on the new report.
    If you don't see the report on the firewall after the max wait time or the info in MonitorLogsGlobalProtect, check the Global Protect app logs to see if the app tried to send the HIP report. Selecting Refresh Connection on the client might help if anything got stuck, but will not determine the reason for the failure.
  4. Ensure that the GlobalProtect app end user is matching the correct HIP profile based on the HIP report submitted.