Security

Reply
Frequent Contributor II

ClearPass 6.7 and Palo Alto Firewall Integration

Hi community,

 

I upgraded ClearPass to 6.7, and as part of the upgrade I can see the enforcement profile for updating Palo Alto user-id has changed (automatically) as follow:

1.PNG

Do I have to do anything extra for the integration to work? Or is this new configuration good enough? I'm running PAN-OS 7.1.14.

Frequent Contributor II

Re: ClearPass 6.7 and Palo Alto Firewall Integration

I've tested this and it works well so far. Previously the user-id information was unstable on Palo Alto (when testing between ClearPass 6.6.8 and PAN-OS 7.1.14). Now I can open rules with user or role on PA and not unexpectedly got disconnected due to user info not available.  

Moderator

Re: ClearPass 6.7 and Palo Alto Firewall Integration

Just to add, no there is nothing you have to do. As part of the upgrade to 6.7 we have migrated the PANW configuration and this is documented in the release notes.

 

Endpoint Context Servers

The following new features are introduced in Endpoint Context Servers in the 6.7.0 release.

l Context Server Action content can now be customized for Palo Alto Networks Firewall (PANW) endpoint

context servers. You can notify PANW of additional attributes by adding a new action or modifying an

existing action. You can also create or import new attributes for PANW at  Administration > Dictionaries

> Context Server Actions. (#31343, #38979, #40754)

As part of this feature, some new default actions have been added and some have been removed:

 

The Context Server Actions dictionary now includes the following new actions for a total of 18 actions —

Register Device, Register Posture, Register Role, Send HIP Report (Global Protect), Send Login Info, Send

Logout Info, Unregister Device, Unregisture Posture, and Unregister Role.

 

The following four options in the Endpoint Context Server have been removed — ClearPass Profiler,

ClearPass Role, GlobalProduct, and UserID Post URL.


Best Regards
-d

ClearPass Product Manager

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Frequent Contributor II

Re: ClearPass 6.7 and Palo Alto Firewall Integration

Hello danny,

 

Thanks for your comment. Actually I've observed unexpected behavior with the CPPM - Palo Alto integration for the last several days (I thought it has been fixed with ClearPass 6.7). Though many user-ids are synced stably to PA, some others just got lost (unstable) for unknown reason. You can see it in the attached screenshot:

 

pa_user_id.PNG

 

My company has about 2000 employees, and I don't know if this behavior is due to a large number of user-ids are being synced. Do I need to tune some parameters to fix this issue? I'm running ClearPass 6.7 and PAN-OS 7.1.14.

New Contributor

Re: ClearPass 6.7 and Palo Alto Firewall Integration

I know this issue is a few months old, but was this ever resolved for anyone?  We are seeing the same symptoms with Clearpass 6.7.0.101814 and Palo Alto 7.1.16.  So far, support cases with Aruba and Palo Alto haven't narrowed it down to anything specific, but it's causing all sorts of havoc with the firewall's content filtering policies as various higher-ups will randomly be subjected to the "we don't know who this is" generic policies and are restricted when they shouldn't be.

Frequent Contributor II

Re: ClearPass 6.7 and Palo Alto Firewall Integration

Hi davistim,

 

Per the ClearPass 6.7.2 release notes:

#39696

Corrected an issue where the order of the updates sent to Palo Alto Firewall was incorrect, and in some cases caused Palo Alto Firewall to not receive user IDs from ClearPass.

Looks like they have improved the user-id integration between CPPM and PANW. I haven't had a chance to test this because some issues (probably only specific to my environment) prevent me from updating CPPM to this version. But I think you could try updating CPPM and see if it solves the integration issue. Would be great if you can share the test result here.

 

Regards,

New Contributor

Re: ClearPass 6.7 and Palo Alto Firewall Integration

Just to circle back on this, we are still seeing this issue occasionally and can consistently reproduce it.  We're on Clearpass 6.7.4.107401, Palo Alto 8.0.10.  Trying to regroup with support on Aruba and Palo Alto side, but so far, the general consensus from both is that Clearpass/PAN are configured correctly and logs show they're doing what they're supposed to, so it must be the other vendor's fault.  If I can ever get this resolved, I'll update this thread.

Moderator

Re: ClearPass 6.7 and Palo Alto Firewall Integration

davistim,

 

I'd like to follow up with you on this. What is the basic issue here, users being authN by CPPM not showing up in PANW?

 

 


Best Regards
-d

ClearPass Product Manager

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Frequent Contributor II

Re: ClearPass 6.7 and Palo Alto Firewall Integration

Hi dannyjump,

 

I'm also experiencing this issue. I updated CPPM to the latest version (6.7.5) but it did not solve the issue. The user id is not showing up consistently on Palo Alto (which uses PAN-OS 7.1.15 btw). All settings on CPPM and Palo Alto are kept at their default.

 

Could you please help on this?

 

Regards,

New Contributor

Re: ClearPass 6.7 and Palo Alto Firewall Integration

I too am having this same whacky behaviour with CPPM 6.7.4 and PanOS 7.1.18... ~2500 active wifi clients.

 

My issue is the same as above, they will initially auth fine the first time, get about 86000s timeout via xmlapi, then just randomly get "unknown" and then the user will be presented with the PA captive portal so it can re-learn the user-ip mapping. This doesn't happen to ALL clients, it seems to be really hit and miss.

 

Has there been any progress on a fix for this? Or has anyone at aruba been able to replicate the issue?

 

Could it be anything to do with radius re-auth and it sending the context server actions in the incorrect order?

 

I was thinking of applying the 6.7.5 patch, but looks like previous user has done this and it hasn't fixed the issue :(

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: