Security

Reply
Moderator
Posts: 492
Registered: ‎11-09-2012

Palo Alto & ClearPass Integration changes with PAN-OS 7.1.5

Team,

 

I wanted to put 'pen to paper' on this. Starting in PAN-OS 7.1.5 PANW made a change to they way one of their API's works. Obviously this is an API's we use as part of the integration else I wouldn't be writing this. Prior to 7.1.5 when we send user-IP-mapping we didn't include a timeout value as the lack of the value meant the user didn't time-out and the firewall waited for us to send the logout command. 

 

However, if you don’t explicit pass a timeout value then 

  1. In 7.1.5, the timeout would be inherited from the User Identification Timeout value configured on the firewall. 
  2. Prior to 7.1.5, the timeout would not have expired.

So the UserID timeout is configured here....

 

image001.jpg.jpeg

 

The timeout value in the User Identification Timeout field showed in the screenshot will now be used if no timeout value is passed by ClearPass. It can take values from 1 to 3600 min and default is 45 min.

 

As an FYI - If you un-check the 'User Identification Timeout (min)" this would set the time-out as 60 min.

 

Now, our current plan is to modify the way we set the timeout to re-introduce the same experience in CPPM 6.6.4, which we are targeting for Q1 2017.

 

HTH. Any Q's ping me on djump@hpe.com

 

 

 


Best Regards
-d

Snr Tech Marketing Engineer - ClearPass

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Regular Contributor I
Posts: 166
Registered: ‎04-11-2011

Re: Palo Alto & ClearPass Integration changes with PAN-OS 7.1.5

Hey Danny have you guys tested CPPM integration with PANOS 8.x?  I seem to be having some issues getting user-id information in the firewall.  I followed the latest tech note but not having any luck.  I'm wondering if something has changed in the API.

Moderator
Posts: 492
Registered: ‎11-09-2012

Re: Palo Alto & ClearPass Integration changes with PAN-OS 7.1.5

I'm running PAN 8.x in the LAB with no issues, can you expand on your problem?

 

 


Best Regards
-d

Snr Tech Marketing Engineer - ClearPass

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
New Contributor
Posts: 1
Registered: ‎06-08-2015

Re: Palo Alto & ClearPass Integration changes with PAN-OS 7.1.5

Hi Danny,

 

We are running ClearPass v6.6.5 and PAN OS 8.0.2. I see that ClearPass still is not sending any timeout value to the PaloAlto. So userid entries will get the default timeout value configured in the firewall and eventually time out without any logout message from ClearPass. Any plans to change this?
Adding a timeout attribute in the xml should solve this:

 

<payload>
<login>
<entry name="knut" ip="1.1.1.1" timeout="0"/>
</login>
</payload>

 

Maybe the timeout value also could be a configureable option in ClearPass?

 

Best Regards

Knut

Moderator
Posts: 492
Registered: ‎11-09-2012

Re: Palo Alto & ClearPass Integration changes with PAN-OS 7.1.5

Correct, in the current shipping version 6.6.5 we do not support the PANW timeout value they modified in their underlying code. Due to other commitments its taken us a while to get this into a release vehicle.  In the next patch release we will return the experience to how it was before they made changes in 7.1.5.

 

It a later release we plan on exposing this so you can define your own timeout value.


Best Regards
-d

Snr Tech Marketing Engineer - ClearPass

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Search Airheads
Showing results for 
Search instead for 
Did you mean: