11-15-2016 04:08 PM
I am trying to intergrate clearpass with Palo alto using xlampi, all was going well however i struck a problem
In clearpass i have two types of users that are autheticating, domain joined machines (which authenticate using "compute authentication" and i also have byod users that authenticate using user based ad authetication.
so when a byod users authenticates with his ad credentials against clear pass and this is passed through to Palo alto all is good . Ihave a xlampi mapping of user and IP.
However when a user authenticates against Clearpass as a domain machine ,I now have a xmlapi mapping of ip and computer name . and considering my palo alto policies are user based policies user cant get internet.
I do have uia in play which works well for domain machines, but i have the problem when both are in play sometimes the xmlapi mapping from clearpass overides the uia mapping.
Hope that makes sense
My thought was to set a ignore list as all computers that get authenticated via xmlapi appear domain\computername$
show user ip-user-mapping all | match $
it returns 1026 results so using set vsys vsys1 user-id-collector ignore-user domain\*$ ?
however this brings all users back will ignore 1026
and thats were i am stuck.
01-11-2017 05:42 PM
On CPPM 6.6.x, is HIP endpoint data supposed to be sent even when GlobalProtect Enabled is unchecked on the Endpoint Context Server PANW configuration? If yes, is there a way to stop this behavior? I have it unchecked and am getting HIP updates which are maxing out PANW DAO limits.
2 weeks ago - last edited 2 weeks ago
Danny thanks for the great guide, it has a lot of information. I've got it setup to the point that on CPPM I'm seeing in my output the updates being listed for each of my firewalls
I also have the same question as above about the HA firewalls, for now I've decided to send to both units in case the HA pair isn't syncing information given from the XML API
(I had a couple other problems and as of writing this update I realized my problem was my predecessor had put an ACL on the interface [on top of the security policies for the zone] and this was keeping my https connections from getting past 264 bytes, hopefully if anyone else goes through the setup and hits the same wall this might help them)