Wireless Access

Reply
AFK
Contributor II

Palo Alto integration - ClearPass vs controller

For the past couple of years we have tried to get the PA-ClearPass integration to work, but it has never proved to be a reliable solution for us.The current problem is missing user-id timeout from ClearPass which is scheduled to be fixed in version 6.7. So I have started to look at other solutions. I see there is a PAN Firewall Integration choice on the controllers. Is this working for those of you who are using it? Would there be any interesting side effects if we enabled both ClearPass and controller based integration?

Moderator

Re: Palo Alto integration - ClearPass vs controller

I want to address the issue you refer to about user-id timeout.

 

Back in PAN-OS 7.1.5 PAN made a change to the underlying API we used, there was an implicit setting for a time-out that they made optional 7.1.5., prior to 7.1.5 when we set the user details the implicit timeout was 0 i.e. Never time-out.

 

This change caused CPPM when sending user details to be controlled by the PANW on-box setting [Default was 60 minutes], there was though no way to make the user never-time-out. 

 

So, we fixed this and changed our API and we added the now required setting in CPPM 6.6.7 patch to override the default value. We now send a never-time-out setting.

 

In a future release, we will expose the ability for you to set your own timeout value.

 


Best Regards
-d

ClearPass Product Manager

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
AFK
Contributor II

Re: Palo Alto integration - ClearPass vs controller

HI Danny.

 

We are running ClearPass v 6.6.7, and it does NOT send the timeout value in our case. I have just been through a TAC case, and they say that it will be fixed in v 6.7. The engineering ticket number is 42300 if you want to look into it.

 

As I said we have been trying for two years to get this to work, had several several TAC cases and I have started to lose faith in this solution. So hence my question about controller integration as a replacement or supplement to ClearPass.

 

Moderator

Re: Palo Alto integration - ClearPass vs controller

I just reviewed the bug ID, I see DEV has commented that a bug was found affecting your environment. Yes, it will be fixed in 6.7, I will review with DEV/QA and see if I can get it included in the next 6.6.x patch.

 


Best Regards
-d

ClearPass Product Manager

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
AFK
Contributor II

Re: Palo Alto integration - ClearPass vs controller

Thanks Danny. To come back to my earlier question: would there be any problems if we enabled PA integration from the controllers as well as from ClearPass?

Moderator

Re: Palo Alto integration - ClearPass vs controller

That might be a solution for you, I wouldn't have Ctrl and CPPM sending info to the firewall though, only one source. Also its very important that you understand, the context available from the firewall falls short of what CPPM is able to send. What context are you looking for?


Best Regards
-d

ClearPass Product Manager

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
AFK
Contributor II

Re: Palo Alto integration - ClearPass vs controller

We only need enough info to be able to create IP-user-mappings for all clients on the firewall so we can use AD groups in our security policies.

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: