Security

Reply
Super Contributor II
Posts: 353
Registered: ‎02-22-2011

Sending ClearPass Endpoint tags to Palo Alto

Hi All,

 

I'm looking for some help getting integration with Palo Alto working.

 

I've referred to the tech note on how to integrate the PAN and CPPM server. I am able ot get endpoint username and IP data shared between devices but can't seem to get the device model tags flowing to Palo Alto. 

 

I've done debugs at both ends and it seems that in the XML Registration message send to PAN there is no user tag:

 

id-message> <version>1.0</version> <type>update</type> <payload> <register> <entry identifier="" ip="10.11.12.13"/> </register> </payload> </uid-message>
'
2015-09-28 16:41:55.822 +1000 Error: pan_user_id_xmlapi_regip_proc(pan_user_id_xmlapi.c:787): missing tags for registered ip 10.11.12.13
2015-09-28 16:41:55.822 +1000 Error: pan_user_id_xmlapi_regip_proc(pan_user_id_xmlapi.c:819): failed to register IP address 10.11.12.13
2015-09-28 16:41:55.822 +1000 debug: pan_user_id_xmlapi_set_data(pan_user_id_xmlapi.c:1220): sending message to HA peer
2015-09-28 16:41:55.823 +1000 Error: cfgagent_doop_callback(pan_cfgagent.c:512): Failed to handle op command for agent:

 

the access tracker is showing that the correct device details are being detected:

 

snip1.PNGsnip2.PNGsnip3.PNG

 

Is there something extra needed in the enforcement policy / profile to send the endpoint data to the Palo Alto?

 

Scott

Search Airheads
Showing results for 
Search instead for 
Did you mean: