10-21-2015 06:00 PM
I'm looking for some help getting integration with Palo Alto working.
I've referred to the tech note on how to integrate the PAN and CPPM server. I am able ot get endpoint username and IP data shared between devices but can't seem to get the device model tags flowing to Palo Alto.
I've done debugs at both ends and it seems that in the XML Registration message send to PAN there is no user tag:
id-message> <version>1.0</version> <type>update</type> <payload> <register> <entry identifier="" ip="10.11.12.13"/> </register> </payload> </uid-message>
2015-09-28 16:41:55.822 +1000 Error: pan_user_id_xmlapi_regip_proc(pan_user_id_xmlapi.c:787): missing tags for registered ip 10.11.12.13
2015-09-28 16:41:55.822 +1000 Error: pan_user_id_xmlapi_regip_proc(pan_user_id_xmlapi.c:819): failed to register IP address 10.11.12.13
2015-09-28 16:41:55.822 +1000 debug: pan_user_id_xmlapi_set_data(pan_user_id_xmlapi.c:1220): sending message to HA peer
2015-09-28 16:41:55.823 +1000 Error: cfgagent_doop_callback(pan_cfgagent.c:512): Failed to handle op command for agent:
the access tracker is showing that the correct device details are being detected:
Is there something extra needed in the enforcement policy / profile to send the endpoint data to the Palo Alto?