Security

Reply
SBS
Contributor II

General Question - Multiple Palo Alto Firewalls as Endpoint Context Servers in CPPM

Hello, I wanted to see if anyone else utilizes a similar setup to ours to see if it's considered no big deal should be able to do.... "normal" or if it's outside of a normal setup.

 

We have (3) endpoint context servers of type Palo Alto Networks Firewall communicating with our CPPM cluster.  Two of the context servers are associated with enterprise traffic, the last node is associated wtih our BYOD traffic. We have the API connection between the Palo and CPPM working for both setups.

 

What we are seeing inconsistencies in is the Palo getting the username from CPPM.   If I understand TAC correctly CPPM is sometimes not sending a payload to Palo and other times it's sending it to the incorrect Palo altogether (ie byod it's sending to the enterprise firewall (not byod firewall)  (not what are defined in enforcement profiles, etc).  Sometimes it works fine.

 

TAC has me restart the asynch network services on all the nodes but that didn't seem to make any differences, at this point they have our case with engineering.  What were are seeing is inconsistencies in the Palo getting usernames from CPPM, when it's not getting the username then then the palo isn't able to say assign URL filtering policies based on username for example.

 

I can attach screen shots if you think that would be beneficial, but at first i'm generally curious, does anyone have this type of setup, where you are sending to multiple Palo Alto  firewalls from CPPM and it sends the username consistently / always and to the proper firewall?

 

Thanks,

Sarah

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: