Security

last person joined: 8 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

PAN <-> CPPM Integration - Enforcement Profiles/Groups

Jump to Best Answer
This thread has been viewed 0 times
  • 1.  PAN <-> CPPM Integration - Enforcement Profiles/Groups

    Posted Jan 17, 2019 01:34 PM

    Hello,

     

    I had an interesting request crop up from a customer.. They would like to use ClearPass and Palo Alto Panorama to centralize their security policy enforcements. They are using Palo Alto firewalls for their layer 3 boundaries / VLAN termination at all sites globally.

     

    Currently, we're passing CPPM enforcements and Aruba roles on the wireless side to manage security and VLAN enforcements for wired. The theory is that all this could be done in PA.

     

    From what I can tell from the integration guide, CPPM will natively pass user roles but not enforcement "roles" or groups. I'm wondering if there might be a way to sort users into custom groups as part of policy enforcements using PA's XML API to achieve the desired goals? This seems like it should be possible.. Something along the lines of manually passing certain pre-defined tags should work just not the automated role mappings.

     

    Does anyone have any suggestions on this? May open a TAC case but thought I'd reach out to the community first. Role mappings are helpful but don't 'get to 100% when we leverage additional logic in CPPM enforcements. Also, I think this would be a great feature request!

     

    Thanks in advance!



  • 2.  RE: PAN <-> CPPM Integration - Enforcement Profiles/Groups

    Posted Jan 21, 2019 02:01 PM

    @dannyjump, can you offer any insight on this?



  • 3.  RE: PAN <-> CPPM Integration - Enforcement Profiles/Groups

    Posted Jan 23, 2019 09:29 PM

    Just giving this another nudge :)



  • 4.  RE: PAN <-> CPPM Integration - Enforcement Profiles/Groups

    Posted Jan 27, 2019 03:21 AM

    REgan,

     

    I am a little confused here with this statement :

     

    From what I can tell from the integration guide, CPPM will natively pass user roles but not enforcement "roles" or groups.

     

    Using the integration we can pass or send Roles from ClearPass that are mapped to DAGs/Tags on Palo Alto. Could you probably give an example of what change are you specifically looking for and why?

     

    - Arpit



  • 5.  RE: PAN <-> CPPM Integration - Enforcement Profiles/Groups
    Best Answer

    Posted Jan 27, 2019 01:23 PM

    I actually reached out to the Aruba product engineering team on this directly. - I didn't know if there were any custom attributes that could be passed at the time of enforcement to capture CPPM's enforcement logic and not just the role mappings.

     

    It also seems that there's no way to change or add a role at the time of enforcement so according to the official integration guide, I'm liminted to the and/or logic in Palo Alto's address groups.



  • 6.  RE: PAN <-> CPPM Integration - Enforcement Profiles/Groups

    Posted Jun 21, 2019 05:45 PM

    Curious if you ever found a way to enforce a user role/user group on PaloAlto with attributes sent back by ClearPass. I reached out to Palo Alto about this and they didn't have any ideas on attributes that could do this. I am looking at this document trying to decypher hyroglifics but maybe someone with more know how could figure it out.

     

    Palo Alto Networks Knowledgebase: How to Configure User-Group Based VPN Authentication Using Secure RSA

     

    My situation is that GlobalProtect is configured with RADIUS authentication. It either allows or disallows which is fine for now. However if I would like to give contractors or regular users VPN access, I would like to cordon off some sections of the network just in case. It looks like Palo will take LDAP strings/groups  and then you can configure your policy around the LDAP strings. There is a setting in Palo to import RADIUS groups but that is as close as I got to it. Thanks if anyone can figure it out.