Security

last person joined: 4 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

CPPM -> PaloAlto XMLAPI UserID data resend?

Jump to Best Answer
  • 1.  CPPM -> PaloAlto XMLAPI UserID data resend?

    Posted Sep 11, 2018 04:05 PM

    I have configured an enforcement profile to send my Palo Alto the user's UserID and HIP data. We notice that the CPPM server resends records well after a user has left the premises. 

    To test I disabled the profile match statement so no new data would be sent and I see that CPPM continues to resend records, now several days later.

    Is this a feature or a bug? No sessions are still active, and no event has matched the enforcemnt profile in 6 days, yet I'm still getting new XMLapi connections on the PA firewall.

    How do I make ClearPass stop sending?



  • 2.  RE: CPPM -> PaloAlto XMLAPI UserID data resend?

    Posted Sep 11, 2018 04:09 PM
    It should only be sent on accounting changes. Please open a TAC case.


  • 3.  RE: CPPM -> PaloAlto XMLAPI UserID data resend?

    Posted Sep 11, 2018 05:13 PM

    Calling now.



  • 4.  RE: CPPM -> PaloAlto XMLAPI UserID data resend?

    Posted Sep 21, 2018 12:18 PM

    TAC reports that this is a "known bug" and I'm now (im)patiently waiting for word on a fix.



  • 5.  RE: CPPM -> PaloAlto XMLAPI UserID data resend?

    Posted Jul 17, 2019 10:15 AM

    Any updates on this? We noticed this behaviour in our environment as well. I could not find any hints on a known bug in the release notes. IMHO the Palo Alto context server option is not usable like that. ClearPass also keeps sending the API request if the context server is deleted. That must be a bug. Timeout settings also do not seem to work.



  • 6.  RE: CPPM -> PaloAlto XMLAPI UserID data resend?

    Posted Jul 17, 2019 06:21 PM

    I'm sorry I let this thread go without updating.

    The next patch fixed the issue and we haven't seen it again.

     

    I can't tell you exactly which version it was that fixed it, but we patch within a few days of each release.



  • 7.  RE: CPPM -> PaloAlto XMLAPI UserID data resend?

    Posted Jul 18, 2019 03:38 AM

    That's strange because we are on 6.8.0, update to latest 6.8.1 is pending. I think I will give the latest version a try and contact TAC otherwise. For now we disabled the API access on PAN site because ClearPass doesn't stop sending requests.



  • 8.  RE: CPPM -> PaloAlto XMLAPI UserID data resend?
    Best Answer

    Posted Aug 15, 2019 04:38 AM

    Recently had a TAC case, turned out that it is a known bug again. But there exists a workaround:

    • Under Cluster-Wide Parameters General Tab set Post-Auth v2 to ENABLED
    • then restart Async network service on all machines

    That fixed it for me.



  • 9.  RE: CPPM -> PaloAlto XMLAPI UserID data resend?

    Posted Dec 23, 2020 01:20 PM

    Thanks, we recently turned this feature back on and I was seeing the returned bug (CPPM version 6.9.3.x) and am now trying the work-around.



    ------------------------------
    --Matthew

    If I have in some way helped, please click the KUDOS button
    ------------------------------



  • 10.  RE: CPPM -> PaloAlto XMLAPI UserID data resend?

    Posted Dec 23, 2020 02:30 PM

    Nope - still continuing to update stale records. Heading to TAC.



    ------------------------------
    --Matthew

    If I have in some way helped, please click the KUDOS button
    ------------------------------



  • 11.  RE: CPPM -> PaloAlto XMLAPI UserID data resend?

    Posted 4 days ago
    ​Hi Matthew,

    did you get any further with that? We noticed this behaviour as well after upgrading to CPPM 6.9.3. Stale entries are resend irregularly and generate wrong user-ids which really is a security issue.

    Post-Auth v2 should be the default now. Seems there is currently no workaround available.

    Regards

    Edit: Maybe it is related to CP‑31417:
    ClearPass leaves stale entries when a client roams from one ClearPass server to another.
    
    In a cluster environment where the user first authenticated on one ClearPass server and later authenticated on a different ClearPass server, ClearPass might leave a stale entry in a Palo Alto Networks (PANW) server.
    
    Workaround: If you use a load balancer to load-balance ClearPass RADIUS traffic, configure a load balancing algorithm that maintains connection persistence based on a RADIUS username.


    ------------------------------
    Daniel
    ------------------------------