01-12-2016 10:46 AM
I've followed all of the steps to set up PAN integration, but don't see the Aruba controller logging into my Palo Alto firewall (or even trying).
I did the following:
1. created PAN server profile.
2. activated the profile
2. enabled 'PAN Firewall Integration' in my AAA profiles.
On the firewall side, I created a super user admin account.
Did I miss anything? If not, are there any commands on the Aruba to troubleshoot what might be happening? I don't see anything in the logs related to PAN except for the config commands from when I added the config.
01-12-2016 10:49 AM
Never mind. Found it:
(hostname) # show pan ?
active-profile Active PAN profile
debug Show PAN debug information
profile Palo Alto Networks Servers profile
state Show PAN Interface connection state
statistics Show PAN Interface Statistics
01-12-2016 11:26 AM
So my PA firewalls show as down, but I can ping them just fine and traceroute in both directions shows the correct path. I can also log into them via the broswer with the account I created.
Is there anywhere to get more details on why they show as 'down'?
01-12-2016 11:40 AM
Looking at a packet capture, on the SSL setup, the server eventually sends a 'fatal / handshake error' at the end of the negotiation - after the controller sends its cert, client key exchange, change cipher, and encrypted handshake message.
01-12-2016 11:51 AM - edited 01-12-2016 11:54 AM
It was a server cert issue since I used the firewall's IP rather than hostname. I changed it to hostname and now it's up - except all user-ID requests are 'skipped' still.
And I don't see any logins on my PA firewalls.
06-14-2016 08:28 AM
I never got it working that way and Aruba & Palo Alto support just ran me around in circles for weeks. What we ended up doing was sending user events from our controllers (via syslog) to a server running the Palo Alto user agent. On the Palo Alto user agent, we parsed the syslog messages to map the info to the correct fields, then the Palo Alto pulls the info from the agent. We were already running the agent for AD logins, so it was a pretty simple solution.
See this KB. It's actually based on Aruba logs, so you can follow it just about verbatim.
06-15-2016 09:03 AM
config > logging >
ip = x.x.x.x (where the agent is setup)
category = user
logging facilicity = localx
severity = all
Pretty simple actually. On the agent side, we had to poke holes in the host-based firewall on the server(s).
06-21-2016 03:35 AM - edited 06-21-2016 03:43 AM
That worked (last step was to change the "Logging Levels" > "User Logs" to "notifications", "warnings" only sends failed login logs.
I also managed to get our Instant AP's working perfectly in the same manner, but my PAN User-ID Agent needed different syntaxes like attached pic.
Also, i eventually managed to get the Pala Alto and Aruba Native integration working, also spend hours with Aruba TAC on line, with no outcome.
For someone out there this might help, but to tell you the truth, the syslog setup is EASY and you can specify the default domain in the PAN UID Agent, but on the native integration, if you dont specify your domain when authenticating to the Wi-Fi, Palo Alto won't map you to a security group.
Follow this guide, I have some of the steps listed below aswell: http://www.arubanetworks.com/pdf/partners/SG_PaloA
- Create Admin account on your Palo Alto
- allow https (and user-id) on your Management Interface if thats what you are going to use.
- create dns record to point to your Palo Alto IP address. eg. pan.yourdomain.com
- now the trouble starts with the certificates. you should have a CA signed certificate.
- on your Palo Alto go to "Device" > "Setup" > "Management" > "General Settings" create a SSl/TLS Service Profile with your CA cert.
- Now you shold be able to access your Palo Alto via the DNS name on https://pan.yourdomain.com without getting a certificate error, This is KEY! if you get cert error, don't go any further, try and get this to work first. See attached PAN Certs picture, how our certs looks like.
- If your cert is signed by a default trusted CA like ours "GlobalSign_Root_CA". < This needs to be uploaded to your local controllers
- On your Palo Alto go to "Device" > "Certificates" > "Default Tusted Certificate Authorties", export the Certificate eg. in our case the "GlobalSign_Root_CA".
- This Certificate you import into Aruba controller (this is why most people in get the (Fatal, unknown CA) in a wireshark capture! I also uploaded my companies cert, the one attached in the pic to the Aruba controller, just in case.
- All you need now is to activate the PAN integration tick boxes and server setup as per the guide and your PAN state will now be up.
Like I said, syslog is easier and WAY faster to manage/setup.