Palo Alto: HIP Policy Check Failing Gradually

This issue occured as part of PAN-148676, which was reported to be fixed in 8.1.16, 9.1.10, and 9.1.4

An issue was investigated recently where HIP policy checks began failing for more and more users over a period of time when connecting via GlobalProtect. It was initially thought an unknown change was being made to user devices that was gradually being pushed out, turns out that was wrong!

As part and parcel of troubleshooting the firewall was rebooted, however it did not come back online cleanly. The HA agent kept exiting, the cdb process kept failing to start, and all the data plane interfaces were reporting as down. It really looked like the firewall had got itself into a bit of a mess.

A second reboot did not help, eventually some poking and Google searching led to checking the disk space usage; logging onto the CLI using local credentials to do this since external authentication was also not working as expected!

The command to check the disk space within the command line interface was show system disk space

/dev/sda8              XG   XG     0 100% /opt/panlogs

When you think of logs, you think that a full partition of log files shouldn’t really be a big deal, turns out that is a pretty incorrect statement!

Log files were cleared down using the command clear log acc which managed to clear up around 10-15% of space. The firewall was rebooted shortly thereafter and luckily everything came back online as normal.






Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.