Posts: 472
Registered: ‎11-09-2012

Palo Alto & ClearPass Integration changes with PAN-OS 7.1.5



I wanted to put 'pen to paper' on this. Starting in PAN-OS 7.1.5 PANW made a change to they way one of their API's works. Obviously this is an API's we use as part of the integration else I wouldn't be writing this. Prior to 7.1.5 when we send user-IP-mapping we didn't include a timeout value as the lack of the value meant the user didn't time-out and the firewall waited for us to send the logout command. 


However, if you don’t explicit pass a timeout value then 

  1. In 7.1.5, the timeout would be inherited from the User Identification Timeout value configured on the firewall. 
  2. Prior to 7.1.5, the timeout would not have expired.

So the UserID timeout is configured here....




The timeout value in the User Identification Timeout field showed in the screenshot will now be used if no timeout value is passed by ClearPass. It can take values from 1 to 3600 min and default is 45 min.


As an FYI - If you un-check the 'User Identification Timeout (min)" this would set the time-out as 60 min.


Now, our current plan is to modify the way we set the timeout to re-introduce the same experience in CPPM 6.6.4, which we are targeting for Q1 2017.


HTH. Any Q's ping me on




Best Regards

Snr Tech Marketing Engineer - ClearPass

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Search Airheads
Showing results for 
Search instead for 
Did you mean: