HIP Report Redistribution

To ensure consistent Host Information Profile (HIP) policy enforcement and to simplify policy management, the HIP Report Redistribution feature enables you to distribute HIP reports received from the GlobalProtect app—and sent to an internal or external GlobalProtect gateway—to other gateways, firewalls, Dedicated Log Collectors (DLC), and Panorama appliances in the enterprise.
Use HIP report redistribution in the following use cases:
  • You want to apply consistent policies to both internal and external GlobalProtect gateways. Previously, you could use only internal gateways to enforce HIP rules for traffic coming from external gateways and had to configure the internal gateways with exception policies to not enforce HIP rules for traffic coming from external gateways; or you could duplicate every HIP profile and policy of every internal gateway on every external gateway to consistently enforce HIP policies.
  • You want to apply consistent HIP policies for traffic for a specific user that goes through multiple firewalls. Previously, you only could configure each internal gateway to receive a HIP report from each individual endpoint, which caused delays and excessive traffic load on the firewall.
  • You have a distributed enterprise deployment (for example, a retail store with many locations) and you want to use the data center gateways more efficiently.
    Users access the internal network from multiple gateways and, at each entry point, the gateway runs HIP and User-ID-based policies. After the users enter the internal network, they access applications in the data center. However, to enforce user and HIP-based policies, you need to configure every data center firewall as an internal GlobalProtect gateway.
    After you enable HIP report redistribution, you need to configure only the entry points as internal gateways—you do not need to configure the data center firewalls as internal gateways—to enforce policies based on User-ID and host information.
Use the same firewall and gateway deployment scheme for HIP report redistribution as you do for User-ID redistribution. See Firewall Deployment for User-ID Redistribution for recommendations and best practices.
Use the following workflow to configure HIP report redistribution:
  1. Configure HIP-Based Policy Enforcement for your gateways and firewalls.
  2. Configure HIP report redistribution.
    1. Select
      Device
      User Identification
      User-ID Agents
      .
    2. Select an existing or
      Add
      a new User-ID agent.
      The agent must be a Palo Alto Networks next-generation firewall, a GlobalProtect gateway, a DLC, or a Panorama appliance.
    3. Select
      HIP Report
      .
      hip-report-redistribution.png
    4. Click
      OK
      .
  3. Redistribute the HIP reports to your managed Panorama appliances, gateways, firewalls, and virtual systems using the same workflow you use to Redistribute User-ID Information to Managed Firewalls.

Related Documentation