Security

One of the changes in ClearPass 6.6.7 was to send a timeout value of 0 to Palo Alto firewalls to ensure that IP-user-mappings does not expire. We upgraded to 6.6.7 a few weeks ago, but we cannot see any change in the behaviour. When I check the XMP-API entries in our Palo Alto firewall I still see a timeout value of 2700 seconds (default value on the Palo Alto), and I see no timeout value being sent in the postauthctrl log files. We are running PAN-OS version 7.1.10. However, when we check with our VAR who have the same setup as us except they run PAN-OS version 8, they see timeout values being sent from their ClearPass.

Their postauthctrl entries look like this:

<entry name="username" ip="10.x.x.x" timeout="0"/>

Ours look like this:

<entry name="username" ip="10.x.x.x"/>

In the relase notes for 6.6.7 it says that the timeout value change is for PAN-OS version 7.1.5+

Has anyone else seen this? I have opened a TAC case.

I'm seeing the same thing you are, I don't see a timeout value being sent (from the CPPM logs). Let us know what TAC says. 

However, our PAN updates seem to have completely broken right now, we upgraded our Panorama to 8.0.4 last week, and now our CPPM updates don't seem to be getting to the firewalls (which are still on 7.1.x). We send updates to Panorama, not directly to the firewalls. I have a case open with PAN to see if it's on their side.

Update, looks like PAN decided to change their XML API for 8.x..

https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os-release-notes/pan-os-8-0-release-information/cli-and-xml-api-changes-in-pan-os-8-0#_60001

Reply from TAC is that has been filed as a bug. I am waiting for the defect number.

Bug number is 42300

TAC has now told me that is is confirmed as a bug and will be fixed in ClearPass version 6.7 which is scheduled for release in December.