>
    Strata Copilot
    Configure HIP Redistribution in Prisma Access
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma Access
    3. Prisma Access Administration
    4. Prisma Access Advanced Deployments
    5. Prisma Access Mobile Users—GlobalProtect Advanced Deployments
    6. Redistribute HIP Information with Prisma Access
    7. Configure HIP Redistribution in Prisma Access
    Download PDF
    Prisma Access

    Configure HIP Redistribution in Prisma Access

    Table of Contents

    Configure HIP Redistribution in Prisma Access

    How to configure HIP redistribution in a Prisma Access (Managed by Panorama) deployment.
    Where Can I Use This?What Do I Need?
    • Prisma Access (Managed by Strata Cloud Manager)
    • Prisma Access (Managed by Panorama)
    • Prisma Access license
    When a mobile user whose endpoint has the GlobalProtect app installed connects to Prisma Access, Prisma Access collects the user’s HIP information from the endpoint’s GlobalProtect app, which makes the HIP report available in Prisma Access.
    To use HIP redistribution, users must have the GlobalProtect app installed on their endpoint. While Prisma Access supports Clientless VPN, you can't redistribute HIP information for Clientless VPN users.
    HIP redistribution is applicable to both mobile users and users at remote networks. However, for users at remote networks, an on-premises gateway must detect that the user is internal to the organization’s network using internal host detection before the on-premises gateway can send HIP information to Prisma Access.
    In Prisma Access, you configure internal host detection when you configure your mobile user deployment.
    To assure consistent policy enforcement, you can use HIP redistribution to allow Prisma Access to distribute users’ HIP information to other Panorama appliances, gateways, firewalls, and virtual systems in your deployment, as well as distribute HIP information from those devices to Prisma Access in some cases. This ability allows you to consistently apply HIP-based policy enforcement for users’ traffic, including policies for internet-bound traffic or for traffic that is accessing an internal application or resource in your organization’s headquarters or data center. Redistributing HIP information to the Panorama appliance also lets you view detailed HIP information for Prisma Access users from that appliance.
    Keep in mind that GlobalProtect internal and external gateways don't support bi-directional HIP redistribution. Therefore, the best practice is to use your Panorama appliance as your redistribution point. In this deployment, you would configure your internal and external gateways to send the HIP reports to Panorama and have Panorama forward them on to your firewalls for consistent policy enforcement across your environment.

    Configure HIP Redistribution in Prisma Access (Strata Cloud Manager)

    Learn how to redistribute HIP information.
    HIP report redistribution is enabled by default in Strata Cloud Manager. To view the redistribution details or to disable redistribution, follow the steps below.
    1. In Strata Cloud Manager, view the redistribution diagram and, if required, edit it in Strata Cloud Manager by going to ConfigurationNGFW and Prisma AccessIdentity ServicesIdentity Redistribution and setting the Configuration Scope to Prisma Access.
    2. (Optional) Change the mobile user-to-service connection redistribution and the remote networks-to-service connection redistribution by clicking Edit to edit the default changes.
      HIP and User-ID-to-IP address redistribution are enabled by default.
      The changes you make here apply to both mobile user-to-service connection and remote network-to-service connection redistribution.
      Be sure not to configure any redistribution loops. For example, the service connection redistributes quarantined device information to the mobile users; if you configure quarantine list information to be sent from mobile users to service connections; you introduce a loop that could cause memory issues and slowness in the Prisma Access infrastructure.
    3. (Optional) Change the service connection-to-mobile user redistribution, by clicking Edit to edit the default changes; then, clicking Edit to add or remove the Quarantined Device List information redistribution.
      Note that the Configuration Scope changes to Mobile Users Networks.
    4. Optional) To change the service connection-to-remote network redistribution; click Edit to edit the default changes; then, clicking Edit to add or remove the HIP (Host Information Profile) or IP to Users information redistribution. Quarantine List redistribution is not available to redistribute for mobile users.
      Note that the Configuration Scope changes to Remote Networks.

    Configure HIP Redistribution in Prisma Access (Panorama)

    Learn how to redistribute HIP information.
    To allow Prisma Access to collect and redistribute HIP information, complete the following task.
    1. Allow Prisma Access to redistribute HIP information.
      1. In Panorama, select PanoramaCloud ServicesConfigurationService Setup.
      2. Click the gear icon to edit the settings.
      3. In the Advanced tab, select Enable HIP Redistribution.
        Enabling HIP Redistribution enables Prisma Access to redistribute the HIP reports received from the GlobalProtect app to internal firewalls and to Panorama.
    2. Configure Panorama to receive HIP reports from Prisma Access.
      1. Select PanoramaSetupInterfaces.
      2. Select the Management interface.
      3. Select User-ID.
    3. Configure Panorama to collect the User-ID mapping from Prisma Access.
      1. From the Panorama that manages Prisma Access, select PanoramaData RedistributionAgents.
      2. Add a User-ID Agent and give it a Name.
      3. Enter one of the following values in the Host field, depending on the types of HIP information you want to collect.
        • To collect HIP information for mobile users, enter the User-ID Agent Address (PanoramaCloud ServicesStatusNetwork DetailsService ConnectionUser-ID Agent Address).
        • To collect HIP information from users at a remote network locations with an internal gateway, enter the IP address of the internal gateway.
        • To collect HIP information from users are a remote network connection, enter the EBGP Router address (PanoramaCloud ServicesStatusNetwork DetailsRemote NetworksEBGP Router as the User-ID host.
      4. Enter 5007 in the port field.
        By default, the User-ID agent uses port 5007 to listen for HIP information requests.
        Make sure that your network does not block access to this port between Prisma Access and the Active Directory server or User-ID Agent.
      5. Select Enabled to enable Panorama to communicate with the User-ID agent.
      6. Select IP User Mappings and HIP to enable Panorama to receive IP address-to-username mappings and GlobalProtect HIP data from all mobile user locations.
      7. Click OK.
    4. Repeat Step 3 for each service connection to which you want to configure HIP report collection.

    © 2026 Palo Alto Networks, Inc. All rights reserved.