Security

 View Only
  • 1.  Aruba - Palo Alto integration

    Posted Apr 24, 2020 05:30 AM

    I've been looking a bit in to what an integration between Aruba and Palo Alto can give our customers. While I have found both documentations and explenations on how Clearpass integrates with Palo Alto as well as how Mobility Master/Managed Device integrates with Palo Alto.

     

    What I'm struggling a bit to understand is what conditions is there for using/choosing either method, or should they both be used for a full integration? As far as I can see things like USER-ID can be populated both via CPPM as well as MM/MD integration.

    I understand that with a two-way communication between CPPM and PA we can do policy enforcements with CoA for example when client beahviour changes.

     

    Anyone can give a quick rundown of when is only MM/MD+PA used, when to use CPPM+PA, when to use both (if ever)?

     

     



  • 2.  RE: Aruba - Palo Alto integration

    Posted Apr 25, 2020 02:02 PM

    So I'll share my perspective, if you have CPPM deployed then you'd never send context from the MM, CPPM can pass a lot more contextual info about the user and the device to PANW. You nailed the part about the return data flow as well, but IMO the BIGGEST story here is that we can use CPPM's role mapping to drive policy. Let CPPM do its 'thing' generate the role or roles for a session based upon all of the contextual data we look at for a user, device, location, ToD/DoW, compliance etc. etc. and then federate the role into the PANW as a PAN-TAG, TAG's then drive the DynamicAccessGroups in a PAN. This SO simplifies the security needed in the PANW in essence to the number of roles in CPPM, you should be able  to have a 1:1 mapping significantly simplifying your firewall security policies.

     

    Another way to look at this, UserId is typically driven of user-mapping from AD memberOf, these are STATIC mapping and as such are exactly that STATIC, they don't represent the 'session' or 'device'.... that's why I love the role integration we introduced like 2 years back.

     

    HTH

     

    One other thing we added last year was to also integrate GPVPN + OnGuard into CPPM to allow a VPN user to authN on CPPM, have OnGuard send endpoint posture then use the ROLE to then update the PAN firewall/VPN-Concentrator of the health/compliance state of the endpoint, this was only possible with the ROLE integration.

     

    HTH