Security

On the Palo Alto firewall, each vsys has its own ip-user-mapping table on a device configured with vsys enabled. The XML API xpath being used by ClearPass does not accout for this, so the integration fails to produce the desired result.

 

What is needed to make this work is an alteration of the xpath so that it has /vsys/entry@name='vsysN', where 'N' is the vsys number. This is documented in the PA XML API guide. I can't see a way to hack it in by altering the default string used by ClearPass, since the xpath is encapsulated by "cmd={cmd}".

 

Example why we need this: PA firewall originally inserted into the network in Virtual Wire mode. Transition to a new infrastructure is being accomplished with a second (Layer-3) vsys. Eventually the vwire goes away, but in the meantime, both want User-ID mappings from CPM. Right now, neither get it.

 

Is there a way to get this vsys info into the command? If not, does Aruba have any plan to provide this functionality?

Hello GMParis,

 

Your correct in your observation in our current ability. We are enhancing our integration with our next release of CPPM (December 2013) to include support for PAN OS HIP Profiles, in additional their are other changes coming because of PAN OS enhancements we want to take advantage off. We are constantly reviewing which features and functions are required by the field and its a continuous process of mapping resource to field demand. I will review this in details with engineering over the next couple of days and post an update after my discussion.

GMParis,

 

I've spoken to one of the engineers responsible for our PAN OS integration.  We'd like to understand the workflow better of how this would work.

 

For example....a guest of 'Bob' registers and we send his details to vsys1....when 'john' registers how does cppm know to post his details to 'vsys2'....I like to get a better handle on your work-flow for this?

 

Please email me at danny@arubanetworks.com with your thoughts/workflow.

 

Thanks

-d

Just shot you an email. Thanks for following up on this.

Is there a solution for CPPM intergration with a palo alto running multiple vsys?

Brett,

 

I pinged you back on email, but today we only support a single vsys system with our CPPM/PANW integration.

Brett,

 

Stupid question from me.......I guess you have a need to support multiple vsys's?

 

Can you please provide a little more info / use-case either here or danny@arubanetworks.com.

 

Cheers.

Sorry, we only support a single vsys.

Please excuse my errors as sent using my small useless keyboard on my smartphone.

Regards
--d

Danny Jump | Technical Marketing Engineer - Networking Services | Aruba Networks
o: 408-513-8938<408-513-8938> (diverts to cell)
e: danny@arubanetworks.com<DANNY></DANNY>

I actuall don't need multiple VSYS, but I turned it on to test the functionallty. And while I have turned it back off it appears that not all of the multiple VSYS system settings are removed. I am not sure if there is some sort of "scrub" that can be done. 

 

I have been told that there is a way to have multple VSYS and use the windows user-id agent but I am not able to find any documentation for that type of config. You should be able to point the clearpass to the user-id agent and then point the palo alto to use the user-id agent.