Good morning,
I have a problem with Palo Alto > Clearpass integration for incident response.
Basically what I need is to move a user to quarantine when they receive a Palo Alto event type called "vulnerability"
(Event: PANW-Threat: panw_subtype = vulnerability).
Every RADIUS configuration with a Cisco switch is OK, the posture works correctly on machines with an onguard agent installed.
In Palo Alto we configured Clearpass as an external Syslog, the attributes were mapped using the list "PANW.txt" attached.
Clearpass already receives Syslog events, in the test when a user tries to access a website classified as medium risk (Eicar), Palo Alto sends the information to Clearpass.
------------------------------
D�niel Cabral
------------------------------