Occasional Contributor II

CPPM 6.7 and Palo Alto userid integration - idle timeout setting

Dear all,


refering following related discussion,

i invesitgated about an XMLAPI user timeout setting issue.

My environment is composed of PANOS 7.1.18 and CPPM 6.7.4.


The issue was the same; idle timeout for injected users from ClearPass (XMLAPI) inherits default PAN user-id value (45 min) due to missing XML "timeout" parameter from Clearpass.


That is confirmed reviewing default content for PAN Endpoint Context Server Actions "Send Login Info" on my CPPM:


"timeout" parameter misses.


I solved modifying content as following:


<uid-message><version>1.0</version><type>update</type><payload><login><entry name="%{user}" ip="%{ip}" timeout="0"/></login></payload></uid-message>


I added timeout="0", to get "never" expiration.


My question is, why timeout misses in the predefined content action?

Based on the posts above mentioned, I would have expected this to be implemented by default in 6.7 version...


Another question, I found following parameter under Administration->Server Configuration->Server Parameters->Async Network Service:


Is this related to topic in object?

I suppose yes, in my opinion this could be the default timeout injected from CPPM to PAN with post authentication action, but as discussed it doesn't apply/work.





Search Airheads
Showing results for 
Search instead for 
Did you mean: