Security

Reply
Frequent Contributor I

ClearPass 6.7 and Palo Alto Firewall Integration

Hi community,

 

I upgraded ClearPass to 6.7, and as part of the upgrade I can see the enforcement profile for updating Palo Alto user-id has changed (automatically) as follow:

1.PNG

Do I have to do anything extra for the integration to work? Or is this new configuration good enough? I'm running PAN-OS 7.1.14.

Frequent Contributor I

Re: ClearPass 6.7 and Palo Alto Firewall Integration

I've tested this and it works well so far. Previously the user-id information was unstable on Palo Alto (when testing between ClearPass 6.6.8 and PAN-OS 7.1.14). Now I can open rules with user or role on PA and not unexpectedly got disconnected due to user info not available.  

Moderator

Re: ClearPass 6.7 and Palo Alto Firewall Integration

Just to add, no there is nothing you have to do. As part of the upgrade to 6.7 we have migrated the PANW configuration and this is documented in the release notes.

 

Endpoint Context Servers

The following new features are introduced in Endpoint Context Servers in the 6.7.0 release.

l Context Server Action content can now be customized for Palo Alto Networks Firewall (PANW) endpoint

context servers. You can notify PANW of additional attributes by adding a new action or modifying an

existing action. You can also create or import new attributes for PANW at  Administration > Dictionaries

> Context Server Actions. (#31343, #38979, #40754)

As part of this feature, some new default actions have been added and some have been removed:

 

The Context Server Actions dictionary now includes the following new actions for a total of 18 actions —

Register Device, Register Posture, Register Role, Send HIP Report (Global Protect), Send Login Info, Send

Logout Info, Unregister Device, Unregisture Posture, and Unregister Role.

 

The following four options in the Endpoint Context Server have been removed — ClearPass Profiler,

ClearPass Role, GlobalProduct, and UserID Post URL.


Best Regards
-d

ClearPass Product Manager

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Frequent Contributor I

Re: ClearPass 6.7 and Palo Alto Firewall Integration

Hello danny,

 

Thanks for your comment. Actually I've observed unexpected behavior with the CPPM - Palo Alto integration for the last several days (I thought it has been fixed with ClearPass 6.7). Though many user-ids are synced stably to PA, some others just got lost (unstable) for unknown reason. You can see it in the attached screenshot:

 

pa_user_id.PNG

 

My company has about 2000 employees, and I don't know if this behavior is due to a large number of user-ids are being synced. Do I need to tune some parameters to fix this issue? I'm running ClearPass 6.7 and PAN-OS 7.1.14.

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: