The HIP ('Host Integrity Protection') mechanism is a security scanner for the Palo Alto Networks GlobalProtect VPNs, in the same vein as Cisco's CSD and Juniper's Host Checker (tncc.jar).
It is somewhat less intrusive than CSD or TNCC, because it does not appear to work by downloading a trojan binary from the VPN server. Instead, it runs a HIP report generator (built-in as part of the official GlobalProtect VPN client software), which generates an "HIP report" XML file.
HIP flow used in the official clients:
If all goes well, the client should have the expected level of access to resources on the network after these steps are complete. However, two things can go wrong:
OpenConnect supports HIP report generation and submission by passing the --csd-wrapper=SCRIPT argument with a shell script to generate a HIP report in the format expected by the server. This shell script must output the HIP report to standard output and exit successfully (status code 0). The HIP script is called with the following command-line arguments:
--cookie: a URL-encoded string, as output by openconnect --authenticate --protocol=gp, which includes parameters --from the /ssl-vpn/login.esp response --client-ip{,v6}: IPv4/6 addresses allocated by the GlobalProtect VPN for this client (included in /ssl-vpn/getconfig.esp response) --md5: The md5 digest to encode into this HIP report. All that really matters is that the value in the HIP report submission should match the value in the HIP report check.
Two example scripts are included in the OpenConnect distribution, in the trojans/ subdirectory: hipreport.sh (which reproduces the behavior of a GlobalProtect Windows client) and hipreport-android.sh (a report with minimal contents suitable for use on an Android device).
Depending on how picky your GlobalProtect VPN is, it may be necessary to spoof or alter some of the parameters of the HIP report to match the output of one of the official clients. In order to capture the contents of the official Windows client's HIP reports, enable the highest logging level for the "PanGPS Service", and then sift through the giant PanGPS.log file (which should be in the same directory as the executables, normally c:\Program Files\PaloAlto Networks\GlobalProtect) to find the HIP report submission.