Frequent Contributor II

ClearPass 6.7 and Palo Alto Firewall Integration

Hi community,


I upgraded ClearPass to 6.7, and as part of the upgrade I can see the enforcement profile for updating Palo Alto user-id has changed (automatically) as follow:


Do I have to do anything extra for the integration to work? Or is this new configuration good enough? I'm running PAN-OS 7.1.14.

Frequent Contributor II

Re: ClearPass 6.7 and Palo Alto Firewall Integration

I've tested this and it works well so far. Previously the user-id information was unstable on Palo Alto (when testing between ClearPass 6.6.8 and PAN-OS 7.1.14). Now I can open rules with user or role on PA and not unexpectedly got disconnected due to user info not available.  


Re: ClearPass 6.7 and Palo Alto Firewall Integration

Just to add, no there is nothing you have to do. As part of the upgrade to 6.7 we have migrated the PANW configuration and this is documented in the release notes.


Endpoint Context Servers

The following new features are introduced in Endpoint Context Servers in the 6.7.0 release.

l Context Server Action content can now be customized for Palo Alto Networks Firewall (PANW) endpoint

context servers. You can notify PANW of additional attributes by adding a new action or modifying an

existing action. You can also create or import new attributes for PANW at  Administration > Dictionaries

> Context Server Actions. (#31343, #38979, #40754)

As part of this feature, some new default actions have been added and some have been removed:


The Context Server Actions dictionary now includes the following new actions for a total of 18 actions —

Register Device, Register Posture, Register Role, Send HIP Report (Global Protect), Send Login Info, Send

Logout Info, Unregister Device, Unregisture Posture, and Unregister Role.


The following four options in the Endpoint Context Server have been removed — ClearPass Profiler,

ClearPass Role, GlobalProduct, and UserID Post URL.

Best Regards

ClearPass Product Manager

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Frequent Contributor II

Re: ClearPass 6.7 and Palo Alto Firewall Integration

Hello danny,


Thanks for your comment. Actually I've observed unexpected behavior with the CPPM - Palo Alto integration for the last several days (I thought it has been fixed with ClearPass 6.7). Though many user-ids are synced stably to PA, some others just got lost (unstable) for unknown reason. You can see it in the attached screenshot:




My company has about 2000 employees, and I don't know if this behavior is due to a large number of user-ids are being synced. Do I need to tune some parameters to fix this issue? I'm running ClearPass 6.7 and PAN-OS 7.1.14.

New Contributor

Re: ClearPass 6.7 and Palo Alto Firewall Integration

I know this issue is a few months old, but was this ever resolved for anyone?  We are seeing the same symptoms with Clearpass and Palo Alto 7.1.16.  So far, support cases with Aruba and Palo Alto haven't narrowed it down to anything specific, but it's causing all sorts of havoc with the firewall's content filtering policies as various higher-ups will randomly be subjected to the "we don't know who this is" generic policies and are restricted when they shouldn't be.

Frequent Contributor II

Re: ClearPass 6.7 and Palo Alto Firewall Integration

Hi davistim,


Per the ClearPass 6.7.2 release notes:


Corrected an issue where the order of the updates sent to Palo Alto Firewall was incorrect, and in some cases caused Palo Alto Firewall to not receive user IDs from ClearPass.

Looks like they have improved the user-id integration between CPPM and PANW. I haven't had a chance to test this because some issues (probably only specific to my environment) prevent me from updating CPPM to this version. But I think you could try updating CPPM and see if it solves the integration issue. Would be great if you can share the test result here.



Search Airheads
Showing results for 
Search instead for 
Did you mean: