Security

Reply
Highlighted
MVP Expert

CPPM -> PaloAlto XMLAPI UserID data resend?

I have configured an enforcement profile to send my Palo Alto the user's UserID and HIP data. We notice that the CPPM server resends records well after a user has left the premises. 

To test I disabled the profile match statement so no new data would be sent and I see that CPPM continues to resend records, now several days later.

Is this a feature or a bug? No sessions are still active, and no event has matched the enforcemnt profile in 6 days, yet I'm still getting new XMLapi connections on the PA firewall.

How do I make ClearPass stop sending?

--Matthew

if I've helped, please give kudos
if I've provided a solution, please mark the solution so others can find it
Guru Elite

Re: CPPM -> PaloAlto XMLAPI UserID data resend?

It should only be sent on accounting changes. Please open a TAC case.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
MVP Expert

Re: CPPM -> PaloAlto XMLAPI UserID data resend?

Calling now.

--Matthew

if I've helped, please give kudos
if I've provided a solution, please mark the solution so others can find it
MVP Expert

Re: CPPM -> PaloAlto XMLAPI UserID data resend?

TAC reports that this is a "known bug" and I'm now (im)patiently waiting for word on a fix.

--Matthew

if I've helped, please give kudos
if I've provided a solution, please mark the solution so others can find it
Occasional Contributor II

Re: CPPM -> PaloAlto XMLAPI UserID data resend?

Any updates on this? We noticed this behaviour in our environment as well. I could not find any hints on a known bug in the release notes. IMHO the Palo Alto context server option is not usable like that. ClearPass also keeps sending the API request if the context server is deleted. That must be a bug. Timeout settings also do not seem to work.

MVP Expert

Re: CPPM -> PaloAlto XMLAPI UserID data resend?

I'm sorry I let this thread go without updating.

The next patch fixed the issue and we haven't seen it again.

 

I can't tell you exactly which version it was that fixed it, but we patch within a few days of each release.

--Matthew

if I've helped, please give kudos
if I've provided a solution, please mark the solution so others can find it
Occasional Contributor II

Re: CPPM -> PaloAlto XMLAPI UserID data resend?

That's strange because we are on 6.8.0, update to latest 6.8.1 is pending. I think I will give the latest version a try and contact TAC otherwise. For now we disabled the API access on PAN site because ClearPass doesn't stop sending requests.

Occasional Contributor II

Re: CPPM -> PaloAlto XMLAPI UserID data resend?

Recently had a TAC case, turned out that it is a known bug again. But there exists a workaround:

  • Under Cluster-Wide Parameters General Tab set Post-Auth v2 to ENABLED
  • then restart Async network service on all machines

That fixed it for me.

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: