I've followed all of the steps to set up PAN integration, but don't see the Aruba controller logging into my Palo Alto firewall (or even trying).
I did the following:
1. created PAN server profile.
2. activated the profile
2. enabled 'PAN Firewall Integration' in my AAA profiles.
On the firewall side, I created a super user admin account.
Did I miss anything? If not, are there any commands on the Aruba to troubleshoot what might be happening? I don't see anything in the logs related to PAN except for the config commands from when I added the config.
Never mind. Found it:
(hostname) # show pan ?active-profile Active PAN profiledebug Show PAN debug informationprofile Palo Alto Networks Servers profilestate Show PAN Interface connection statestatistics Show PAN Interface Statistics
So my PA firewalls show as down, but I can ping them just fine and traceroute in both directions shows the correct path. I can also log into them via the broswer with the account I created.
Is there anywhere to get more details on why they show as 'down'?
Looking at a packet capture, on the SSL setup, the server eventually sends a 'fatal / handshake error' at the end of the negotiation - after the controller sends its cert, client key exchange, change cipher, and encrypted handshake message.
It was a server cert issue since I used the firewall's IP rather than hostname. I changed it to hostname and now it's up - except all user-ID requests are 'skipped' still.
And I don't see any logins on my PA firewalls.
did you ever get this right? I have the same issue. Loaded certificates etc etc. but still no joy.
Could you help?
I never got it working that way and Aruba & Palo Alto support just ran me around in circles for weeks. What we ended up doing was sending user events from our controllers (via syslog) to a server running the Palo Alto user agent. On the Palo Alto user agent, we parsed the syslog messages to map the info to the correct fields, then the Palo Alto pulls the info from the agent. We were already running the agent for AD logins, so it was a pretty simple solution.
See this KB. It's actually based on Aruba logs, so you can follow it just about verbatim.
Thanks. Just another question, What does your logging look like on the Aruba controller, I seem to get all logs except what I need.
config > logging >
ip = x.x.x.x (where the agent is setup)
category = user
logging facilicity = localx
severity = all
Pretty simple actually. On the agent side, we had to poke holes in the host-based firewall on the server(s).
That worked (last step was to change the "Logging Levels" > "User Logs" to "notifications", "warnings" only sends failed login logs.
I also managed to get our Instant AP's working perfectly in the same manner, but my PAN User-ID Agent needed different syntaxes like attached pic.
Also, i eventually managed to get the Pala Alto and Aruba Native integration working, also spend hours with Aruba TAC on line, with no outcome.
For someone out there this might help, but to tell you the truth, the syslog setup is EASY and you can specify the default domain in the PAN UID Agent, but on the native integration, if you dont specify your domain when authenticating to the Wi-Fi, Palo Alto won't map you to a security group.
Follow this guide, I have some of the steps listed below aswell: http://www.arubanetworks.com/pdf/partners/SG_PaloAltoNetworks.pdf
Like I said, syslog is easier and WAY faster to manage/setup.
For anyone else that might run into this. Our PAN integration stopped working suddenly too. I had the (Fatal, Unknown CA) in the wireshark logs as well (note: the packet was from the Aruba Controller to the Palo, TLSv1.2).
What fixed it for us was uploading a TrustedCA in PEM/x509 format with the entire chain of certificates for the Palo. Including the Palo certificate added to the bottom; However I'm not even sure if any certificate actually gets uploaded other than that top cert. This can be frustrating as I'm quite sure that certificate was already there (since it was working for years too), but at least support pointed me in the right direction and then we started throwing certs at it.
Remember that all local controllers need that same certificate as well uploaded individually too. On the Palo CLI you can run show user ip-user-mapping all and look for XMLAPI's to start filling in and no longer being mostly unknown. Also when troubleshooting with the certificates nothing needs to be saved or reloaded - just wait a bit and it should start working.
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2021 Hewlett Packard Enterprise Development LPAll Rights Reserved.