ClearPass / Palo-Alto networks Integration
09-05-2017 08:32 AM
I'm trying to get dynamic tags working with our Palo Alto firewall. I've read through the technote written by Danny Jump. Everything on my end looks correct. I am trying to use the endpoint profiler within Clearpass to identify Apple Ipad / Iphone devices so that I can use them in a security or decryption policy. However, it's not working. From the CLI on the PA firewall, I see the registered IP, along with the tag. I also see a list of dynamic tags that the PA sees from clearpass. If I create a dynamic group using the dynamic tag, it doesn't work. The security policy doesn't have any affect. I opened up a ticket with PA support, and they said what I'm trying to do is "impossible", but I could request a feature request. Anyone else able to get this working? We are currently on 6.6.3, but are in the process of upgrading to 6.6.4 to see if we can accomplish the same thing with Clearpass roles.
Re: ClearPass / Palo-Alto networks Integration
09-05-2017 04:46 PM
I just started setting up PAN integration myself, but I haven't gotten to rules/objects yet. Just curious if you noticed, there are two PAN technotes, there is one called "PANW and CPPM Advanced Deployment use-case TechNote (V2-July 2014).pdf" (in clearpass documentation, https://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Default.aspx?EntryId=7961) That document shows a way to create rules based on a HIP object without using tags/dynamic groups. Maybe this would be a way to go if you are just looking at the HIP data?