Dear all,
refering following related discussion,
https://community.arubanetworks.com/t5/Security/Clearpass-Palo-Alto-integration-pan-OS-7-1-5-xmlapi-user-timeout/td-p/278098
http://community.arubanetworks.com/t5/Wireless-Access/Palo-Alto-integration-ClearPass-vs-controller/td-p/311933
i invesitgated about an XMLAPI user timeout setting issue.
My environment is composed of PANOS 7.1.18 and CPPM 6.7.4.
The issue was the same; idle timeout for injected users from ClearPass (XMLAPI) inherits default PAN user-id value (45 min) due to missing XML "timeout" parameter from Clearpass.
That is confirmed reviewing default content for PAN Endpoint Context Server Actions "Send Login Info" on my CPPM:
"timeout" parameter misses.
I solved modifying content as following:
<uid-message><version>1.0</version><type>update</type><payload><login><entry name="%{user}" ip="%{ip}" timeout="0"/></login></payload></uid-message>
I added timeout="0", to get "never" expiration.
My question is, why timeout misses in the predefined content action?
Based on the posts above mentioned, I would have expected this to be implemented by default in 6.7 version...
Another question, I found following parameter under Administration->Server Configuration->Server Parameters->Async Network Service:
Is this related to topic in object?
I suppose yes, in my opinion this could be the default timeout injected from CPPM to PAN with post authentication action, but as discussed it doesn't apply/work.
thanks
Andrea