Ciao,
at the and I did it. I used Ingress Events to match the login and logout and I used an enforcement via HTTP Generic API.
1) I configured Paloalto to send via syslog just two event login and logout;
2) I configured Ingress Events to match and I extracted the user and IP address released by Global protect;
3) I created two Endpoint Context Server Actions to send XML API (Register and Unregister) Dynamic Address Group.
4) At the end I created the enforcememnt profile.
When the user login CPPM sends the enforcement DAG Register API (I attached either to the user's RADIUS authenticartion Enforcement and to Ingress Event). The first one is more reactive than the second one. When the user logoff, the Ingress Event sends the UnRegister API.
Thanks to the Aruba Community and to ClearPass Product!
I'm going writing a document regarding the configuration.