One of the changes in ClearPass 6.6.7 was to send a timeout value of 0 to Palo Alto firewalls to ensure that IP-user-mappings does not expire. We upgraded to 6.6.7 a few weeks ago, but we cannot see any change in the behaviour. When I check the XMP-API entries in our Palo Alto firewall I still see a timeout value of 2700 seconds (default value on the Palo Alto), and I see no timeout value being sent in the postauthctrl log files. We are running PAN-OS version 7.1.10. However, when we check with our VAR who have the same setup as us except they run PAN-OS version 8, they see timeout values being sent from their ClearPass.
Their postauthctrl entries look like this:
<entry name="username" ip="10.x.x.x" timeout="0"/>
Ours look like this:
<entry name="username" ip="10.x.x.x"/>
In the relase notes for 6.6.7 it says that the timeout value change is for PAN-OS version 7.1.5+
Has anyone else seen this? I have opened a TAC case.