Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Palo Alto & ClearPass Integration changes with PAN-OS 7.1.5

This thread has been viewed 0 times

  • 1.  Palo Alto & ClearPass Integration changes with PAN-OS 7.1.5

    Posted Nov 10, 2016 04:48 PM

    Team,

     

    I wanted to put 'pen to paper' on this. Starting in PAN-OS 7.1.5 PANW made a change to they way one of their API's works. Obviously this is an API's we use as part of the integration else I wouldn't be writing this. Prior to 7.1.5 when we send user-IP-mapping we didn't include a timeout value as the lack of the value meant the user didn't time-out and the firewall waited for us to send the logout command. 

     

    However, if you don’t explicit pass a timeout value then 

    1. In 7.1.5, the timeout would be inherited from the User Identification Timeout value configured on the firewall. 
    2. Prior to 7.1.5, the timeout would not have expired.

    So the UserID timeout is configured here....

     

    image001.jpg.jpeg

     

    The timeout value in the User Identification Timeout field showed in the screenshot will now be used if no timeout value is passed by ClearPass. It can take values from 1 to 3600 min and default is 45 min.

     

    As an FYI - If you un-check the 'User Identification Timeout (min)" this would set the time-out as 60 min.

     

    Now, our current plan is to modify the way we set the timeout to re-introduce the same experience in CPPM 6.6.4, which we are targeting for Q1 2017.

     

    HTH. Any Q's ping me on djump@hpe.com

     

     

     



  • 2.  RE: Palo Alto & ClearPass Integration changes with PAN-OS 7.1.5

    Posted Apr 11, 2017 01:32 PM

    Hey Danny have you guys tested CPPM integration with PANOS 8.x?  I seem to be having some issues getting user-id information in the firewall.  I followed the latest tech note but not having any luck.  I'm wondering if something has changed in the API.



  • 3.  RE: Palo Alto & ClearPass Integration changes with PAN-OS 7.1.5

    Posted Apr 13, 2017 10:31 PM

    I'm running PAN 8.x in the LAB with no issues, can you expand on your problem?

     

     



  • 4.  RE: Palo Alto & ClearPass Integration changes with PAN-OS 7.1.5

    Posted Jun 02, 2017 09:50 AM

    Hi Danny,

     

    We are running ClearPass v6.6.5 and PAN OS 8.0.2. I see that ClearPass still is not sending any timeout value to the PaloAlto. So userid entries will get the default timeout value configured in the firewall and eventually time out without any logout message from ClearPass. Any plans to change this?
    Adding a timeout attribute in the xml should solve this:

     

    <payload>
    <login>
    <entry name="knut" ip="1.1.1.1" timeout="0"/>
    </login>
    </payload>

     

    Maybe the timeout value also could be a configureable option in ClearPass?

     

    Best Regards

    Knut



  • 5.  RE: Palo Alto & ClearPass Integration changes with PAN-OS 7.1.5

    Posted Jun 02, 2017 03:26 PM

    Correct, in the current shipping version 6.6.5 we do not support the PANW timeout value they modified in their underlying code. Due to other commitments its taken us a while to get this into a release vehicle.  In the next patch release we will return the experience to how it was before they made changes in 7.1.5.

     

    It a later release we plan on exposing this so you can define your own timeout value.