Security

Reply
AFK
Contributor II

ClearPass 6.6.7 not sending timeout value to Palo Alto

One of the changes in ClearPass 6.6.7 was to send a timeout value of 0 to Palo Alto firewalls to ensure that IP-user-mappings does not expire. We upgraded to 6.6.7 a few weeks ago, but we cannot see any change in the behaviour. When I check the XMP-API entries in our Palo Alto firewall I still see a timeout value of 2700 seconds (default value on the Palo Alto), and I see no timeout value being sent in the postauthctrl log files. We are running PAN-OS version 7.1.10. However, when we check with our VAR who have the same setup as us except they run PAN-OS version 8, they see timeout values being sent from their ClearPass.

 

Their postauthctrl entries look like this:

 

<entry name="username" ip="10.x.x.x" timeout="0"/>

 

Ours look like this:

 

<entry name="username" ip="10.x.x.x"/>

 

In the relase notes for 6.6.7 it says that the timeout value change is for PAN-OS version 7.1.5+

 

Has anyone else seen this? I have opened a TAC case.

Contributor I

Re: ClearPass 6.6.7 not sending timeout value to Palo Alto

I'm seeing the same thing you are, I don't see a timeout value being sent (from the CPPM logs). Let us know what TAC says. 

 

However, our PAN updates seem to have completely broken right now, we upgraded our Panorama to 8.0.4 last week, and now our CPPM updates don't seem to be getting to the firewalls (which are still on 7.1.x). We send updates to Panorama, not directly to the firewalls. I have a case open with PAN to see if it's on their side.

Contributor I

Re: ClearPass 6.6.7 not sending timeout value to Palo Alto

AFK
Contributor II

Re: ClearPass 6.6.7 not sending timeout value to Palo Alto

Reply from TAC is that has been filed as a bug. I am waiting for the defect number.

AFK
Contributor II

Re: ClearPass 6.6.7 not sending timeout value to Palo Alto

Bug number is 42300

AFK
Contributor II

Re: ClearPass 6.6.7 not sending timeout value to Palo Alto

TAC has now told me that is is confirmed as a bug and will be fixed in ClearPass version 6.7 which is scheduled for release in December.

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: