View Only
last person joined: 3 days ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Clearpass - Palo Alto Role Update timeout Value

This thread has been viewed 8 times
  • 1.  Clearpass - Palo Alto Role Update timeout Value

    Posted Jan 24, 2022 05:43 PM
    Hello All
    I am using ClearPass Palo Alto API Integration (using Native Context server) to pass on HIP objects and Role information ( as tags) to Palo Alto
    While passing roles I see below 2 Issues
    1 - The role name gets attached as Tag in Palo Alto with a no-expire timeout Value
    2 - If the IP is acquired by a new device and ClearPass sends role to PA, the role info gets appended to the existing Tag. The Tag doesn't get updated

    fyi,I have updated the "Palo Alto User Identification Timeout" value under server configuration to 120 minutes.
    Is there anything I need to do to rectify this ?

    Deepak Mohan

  • 2.  RE: Clearpass - Palo Alto Role Update timeout Value

    Posted Jan 25, 2022 05:00 AM
    Are you on a recent ClearPass version? Asking because some aspects of the Palo Alto integration are updated in newer ClearPass versions.

    If you are on a recent version of ClearPass, please double-check with the Palo Alto Integration guide from, if that doesn't help it may be best to open a support case.

    Herman Robers
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

  • 3.  RE: Clearpass - Palo Alto Role Update timeout Value

    Posted Jan 31, 2022 01:44 PM
    You can add timeout to the URL:

    For issue with role getting appended to existing tag, ideally there should be a logout for the previous entry assuming no duplicate IPs. Please open a TAC ticket.

    Mathew George