Security

last person joined: an hour ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

UPDATED - ClearPass 6.5 and Palo-Alto Networks Integration TechNote V5

  • 1.  UPDATED - ClearPass 6.5 and Palo-Alto Networks Integration TechNote V5

    Posted May 28, 2015 07:08 PM

    Teams,

    I’ve completed a fairly large re-write of the ClearPass 6.5 and Palo Alto Networks integration Guide. There is a large amount of new content and specifically covers 6.5 enforcement changes (Session Notification now NOT Session restriction), updates to TAGS/DAO’s, Updates to the real-time post-auth framework and a section on Posture/Health Integration.

     

    You can find the document on the support site here..... https://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Command/Core_Download/Default.aspx?EntryId=17560

     

    Happy reading – go fill your boots..!!….. comments and feedback/suggestions graciously accepted.

     



  • 2.  RE: UPDATED - ClearPass 6.5 and Palo-Alto Networks Integration TechNote V5

    Posted Aug 26, 2015 09:06 PM

    Danny,

     

    Thank you for this guide, it was very straight forward in getting everything setup. I did run across a pain point that took me quite some time to figure out. It may seem silly, but the controllers need to be configured to use clearpass as their RADIUS acounting server, not just for authentication.

     

    I have a fairly complex environment, which means there are approximately ~70 enforcement policy rules which could be applied (on just the wireless side.) Rather than add the enforcement profiles to each policy rule, is there an easier way I could apply this universally? Ideally we'd like every device that touches clearpass to end up in the Palo's purview.

     

    Sean



  • 3.  RE: UPDATED - ClearPass 6.5 and Palo-Alto Networks Integration TechNote V5

    Posted Aug 26, 2015 09:09 PM

    As of today, it has to be applied to each enforcement rule.

     

    There is an open feature request to have enforcement policy global enforcement profiles that apply to every rule.



  • 4.  RE: UPDATED - ClearPass 6.5 and Palo-Alto Networks Integration TechNote V5

    Posted Feb 03, 2016 08:06 AM

    Hello!!

     

    I'm trying to integrate my CPPM v6.5 with a PA-3020 v7.0.1

    I follow all steps in guide ClearPass and PANW Integration TechNote (V5 May 2015) but I can't see any logged user in PA with the command show user ip-user-mapping all

    I have a service with 802.1x wired with an enforcement policy that do two things, a change of vlan and PAN-update-node. The authentiation is with an Active Directory. The change of vlan is working, and in access tracker i can see both enforcement profiles.... but no data is in firewall

    Any idea???

     

    Thanks!

    Regards

    Miguel

     

     

     

     



  • 5.  RE: UPDATED - ClearPass 6.5 and Palo-Alto Networks Integration TechNote V5

    Posted Feb 09, 2016 10:08 AM

    What is the switch that users are connected to? Do you have RADIUS accounting and interim accounting turn on?



  • 6.  RE: UPDATED - ClearPass 6.5 and Palo-Alto Networks Integration TechNote V5

    Posted Feb 24, 2016 05:36 AM

    Hello

     

    Finally, the problem was the PaloAlto version 7.0.1. This version has a bug with XML API and is resolve in 7.0.2. I update my firewall and now is working

    Thanks to all participates, I hope this can help you

    Regards

    Miguel



  • 7.  RE: UPDATED - ClearPass 6.5 and Palo-Alto Networks Integration TechNote V5

    Posted Apr 11, 2016 08:09 PM

    This V5 is still gospel and the latest ?



  • 8.  RE: UPDATED - ClearPass 6.5 and Palo-Alto Networks Integration TechNote V5

    Posted Apr 11, 2016 08:59 PM

    Yes - I've not updated the CPPM/PANW TechNote past the published V5.



  • 9.  RE: UPDATED - ClearPass 6.5 and Palo-Alto Networks Integration TechNote V5

    Posted Sep 12, 2016 04:46 PM

    I'm attempting to get this integration working with CPPM 6.5.5.78974 and PanOS 7.1.4h2. 

     

    I have gone through your guide however I'm still not seeing anything in the postauthctrl.log to indicate that it is trying to send data. I'm not sure what information anyone would need to help me track down the disconnect, please let me know.

     

    Thank you,

    Jim



  • 10.  RE: UPDATED - ClearPass 6.5 and Palo-Alto Networks Integration TechNote V5

    Posted Sep 14, 2016 12:32 AM

    a basic Q for U. Within access-tracker do your sessions show an Accounting TAB, i.e. the devices have an IP address?



  • 11.  RE: UPDATED - ClearPass 6.5 and Palo-Alto Networks Integration TechNote V5

    Posted Sep 14, 2016 01:43 PM

    Yes, I am seeing an Accounting tab. I have also matched up my session to verify that the IP is under the 'Framed IP Address' field.



  • 12.  RE: UPDATED - ClearPass 6.5 and Palo-Alto Networks Integration TechNote V5

    Posted Sep 15, 2016 03:27 PM

    Jim,

     

    Thanks for confirming that. So, next Q- within AT for an authN session, do you see the on the OUTPUT TAB session-notify for your PANW, something like the below?

    ClearPass_Policy_Manager_-_Aruba_Networks.jpg

     

     



  • 13.  RE: UPDATED - ClearPass 6.5 and Palo-Alto Networks Integration TechNote V5

    Posted Sep 15, 2016 03:31 PM

    I do not see that in the Output. When I attempted to create the 'Trigger' from the document I do not see 'IP-Address-Change-Notification' as an option in enforcement profiles 'Session Restrictions Enforcement' template.Screen Shot 2016-09-15 at 1.55.28 PM.png



  • 14.  RE: UPDATED - ClearPass 6.5 and Palo-Alto Networks Integration TechNote V5

    Posted Sep 15, 2016 04:10 PM

    Jim,

     R U using the latest version if the technote?

     

    V5?

     

    ClearPass 6.X and PANW Integration V5

     

     

    On page19.... is where you need to be to get this sorted , I think.



  • 15.  RE: UPDATED - ClearPass 6.5 and Palo-Alto Networks Integration TechNote V5

    Posted Sep 15, 2016 04:21 PM

    Thank you. I am using the latest version of the document, I just don't have the IP-Address-Change-Notification as a drop down item for the step on page 20.



  • 16.  RE: UPDATED - ClearPass 6.5 and Palo-Alto Networks Integration TechNote V5

    Posted Sep 15, 2016 04:25 PM

    Cool - hopefully, you're on the right track now and will be sorted soon :)

     

    Jump back on this thread if you have an issue going forward.



  • 17.  RE: UPDATED - ClearPass 6.5 and Palo-Alto Networks Integration TechNote V5

    Posted Sep 15, 2016 04:33 PM

    Any idea how to get 'IP-Address-Change-Notification' as an option to choose from?



  • 18.  RE: UPDATED - ClearPass 6.5 and Palo-Alto Networks Integration TechNote V5

    Posted Sep 15, 2016 05:19 PM

    you don't use that in 6.5 and later, use what's detailed in the technote.....



  • 19.  RE: UPDATED - ClearPass 6.5 and Palo-Alto Networks Integration TechNote V5

    Posted Nov 15, 2016 07:09 PM

    Hi Everyone,

    I am trying to intergrate clearpass with Palo alto using xlampi, all was going well however i struck a problem

    In clearpass i have two types of users that are autheticating, domain joined machines (which authenticate using "compute authentication" and i also have byod users that authenticate using user based ad authetication.

    so when a byod users authenticates with his ad credentials against clear pass and this is passed through to Palo alto all is good .  Ihave a xlampi mapping of user and IP.

     

    However when a user authenticates against Clearpass as a domain machine ,I now have a xmlapi mapping of ip and computer name . and considering my palo alto policies are user based policies user cant get internet.

     

    I do have uia in play which works well for domain machines, but i have the problem when both are in play sometimes the xmlapi mapping from clearpass overides the uia mapping.

     

    Hope that makes sense

    Kind Regards

    Paul

    My thought was to set a ignore list  as all computers that get authenticated via xmlapi appear domain\computername$

     

    show user ip-user-mapping all | match $

    it returns 1026 results so using set vsys vsys1 user-id-collector ignore-user domain\*$    ?

    however this brings all users back will ignore 1026

     

    and thats were i am stuck.



  • 20.  RE: UPDATED - ClearPass 6.5 and Palo-Alto Networks Integration TechNote V5

    Posted Oct 20, 2016 09:37 AM

    We are running two PA firewalls in HA. Do we need to send CPPM updates to both firewalls, or will this be exchanged between the two HA partners?



  • 21.  RE: UPDATED - ClearPass 6.5 and Palo-Alto Networks Integration TechNote V5

    Posted Nov 11, 2016 02:43 PM

    I have CPPM 6.5

    Two PANs

    2050 @ pan6.1xx

    3020 @ pan7.1.5

     

    I am trying to utilize tags and dynamic address groups to filter on the basic profile fingerprint attributes I see without using GlobalProtect and hip.

     

    I am just using my CPPM for guest network access and nothing else so I just need to determine if the user authenticated through the CPPM and nothing more to apply PAN filtering. I actually use another device from Intelligo to manage my secure network using a PAN syslog listener 

     

    My cppm is successfully passing domain\username to my two PANs and is being mapped correctly but when I further inspect my ip-user-mapping for a XMLAPI connection I only see the domain\username (email address) the guest user logged in as.

    Under groups this user belongs to, it is empty. There is no additional profile info.

     

    I've created my device name tags and my address groups on the PANs and have tired using  '_' for spaces and without in the PAN Tag name field.

     

    I've followed the directions for 6.5 using pdf v5. Everything looks right.

    The fact I'm getting the same results on each of my PANs leads me to believe there is a missing step somewhere.

     



  • 22.  RE: UPDATED - ClearPass 6.5 and Palo-Alto Networks Integration TechNote V5

    Posted Jan 11, 2017 08:42 PM

    On CPPM 6.6.x, is HIP endpoint data supposed to be sent even when GlobalProtect Enabled is unchecked on the Endpoint Context Server PANW configuration? If yes, is there a way to stop this behavior? I have it unchecked and am getting HIP updates which are maxing out PANW DAO limits.



  • 23.  RE: UPDATED - ClearPass 6.5 and Palo-Alto Networks Integration TechNote V5

    Posted Apr 13, 2017 04:47 PM

    Danny thanks for the great guide, it has a lot of information. I've got it setup to the point that on CPPM I'm seeing in my output the updates being listed for each of my firewalls

     

    I also have the same question as above about the HA firewalls, for now I've decided to send to both units in case the HA pair isn't syncing information given from the XML API

     

    (I had a couple other problems and as of writing this update I realized my problem was my predecessor had put an ACL on the interface [on top of the security policies for the zone] and this was keeping my https connections from getting past 264 bytes, hopefully if anyone else goes through the setup and hits the same wall this might help them)

     



  • 24.  RE: UPDATED - ClearPass 6.5 and Palo-Alto Networks Integration TechNote V5

    Posted May 26, 2017 09:07 AM

    Trying to download the aforementioned Integration guide

    But its metainformation is showing up on the documentation page as "Deleted    Yes"

    And cant download or email it

     

    Is this still available ?

    Many thanks, Jon

     



  • 25.  RE: UPDATED - ClearPass 6.5 and Palo-Alto Networks Integration TechNote V5

    Posted May 26, 2017 09:24 AM


  • 26.  RE: UPDATED - ClearPass 6.5 and Palo-Alto Networks Integration TechNote V5

    Posted May 26, 2017 10:01 AM

    Much many thanks



  • 27.  RE: UPDATED - ClearPass 6.5 and Palo-Alto Networks Integration TechNote V5

    Posted May 26, 2017 10:06 AM
    < thumbs up >


  • 28.  RE: UPDATED - ClearPass 6.5 and Palo-Alto Networks Integration TechNote V5

    Posted May 26, 2017 02:54 PM

    I"ve just this week removed V5 with a V6 update. Let me know how my new guide goes for you and any feedback you have good or bad :)

     

    Happy Reading :)



  • 29.  RE: UPDATED - ClearPass 6.5 and Palo-Alto Networks Integration TechNote V5

    Posted Jun 15, 2017 02:37 PM

    I had issues getting to the original link:

    https://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Command/Core_Download/Default.aspx?EntryId=17560

     

    The following URL is to the same document:

    https://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/EntryId/17560/Default.aspx

     

    However, it appears to be marked as deleted.

    Hope that helps anyone who had the same issues that I did.



  • 30.  RE: UPDATED - ClearPass 6.5 and Palo-Alto Networks Integration TechNote V5

    Posted Feb 06, 2018 06:33 PM
      |   view attached

    Hi Everyone,

     

    I followed this guide around a year ago and succesfully had everthing working well .

    However a short while ago i upgraded both the PA 3060 firewall to 7.1.14

    and my cluster of CPPM to 6.7.0.101814 and now for what ever reason the exchange of xmlapi data between cppm and Palo is not adding the domain prefix to the user , which causes Palo Alto to not recognise the user.

     

     

    I have looked  more than a few times at the username Transformation box and selected/deslect Prefix NETBIOS name

    tried use Full username 

    however still CPPM is only passing the name without a prefix .

     

    Any suggestions please.

     

    Many thanks in advance.