Security

Hello Guys,

We have a Clearpass PoC with one of our very VIP sensitive customers.

The Scenario is that they just need to check the health status of the desktops (Wired) and send the health Status (Healthy, Quarantine, Unknown) to PaloAlto Firewall, without 802.1x integration with any switch.

We already have the document of the integration, but this is the first time we are doing such integration and we have some confusions:

1- Do we need to add the PANW context server in CPPM and/or Palo Alto Networks Panorama Context Server?

2- In the Context server configuration in CPPM, do we need to keep the Service Base URL as per the below or we need to substitute the server_ip?

3- As there is no authentication (i.e. dot1x), shall we upgrade to CPPM 6.6.x?

4- Please Advise if you can priovide a sample configuration for our case from Cleparpass and PaloAlto side?

Thanks,

Zahran

Jordan, answers Inline below

1- Do we need to add the PANW context server in CPPM and/or Palo Alto Networks Panorama Context Server?

[djj] - If you have Panorama then you can just add Panorama assuming firewall is being managed by Panorama.

2- In the Context server configuration in CPPM, do we need to keep the Service Base URL as per the below or we need to substitute the server_ip?
[djj] - Never change it.

3- As there is no authentication (i.e. dot1x), shall we upgrade to CPPM 6.6.x?

[djj] - So you want to leverage onconnect and then use an enforcement profile to send data to PANW, that should be OK.

4- Please Advise if you can provide a sample configuration for our case from Cleparpass and PaloAlto side?

[djj] - Config for what exactly?

Thanks a lot for your reply Danny.

For Onconnect shall we configure the SNMP Traps from the Switches to the cleaprass ?

In order to just push the health update to PANW; Do we need to configure an Onconnect enforcement using the Onconnect enforcement template and follow the below:

Sample Workflow:

Or we just need to update the CPPM to v 6.6 and add an enforcement profile to push the Health Status to the PANW? 

Thanks,

Zahran

Hi Zahran,

I'm now much clearer on your ask and plans. So.... if you want Onconnect you should plan on using 6.6.2 [6.6.3 will be released this week barring no last minute issues]. Yes, as part of Onconnect switches must send SNMP link notification to CPPM, depending on the switches we've seen differing results.... what switch are you using?

The switch must also support SNMP write's.

Now for the difficult piece. Today I'm pretty sure you CAN'T achieve what you want with the Onconnect and PAN integration of sending a posture update. The post-auth enforcement profile triggers of a RADIUS accounting start, as there is no RADIUS here this is not going to work.

We're going to have to rethink this, nothing comes to mind immediately... let me noodle on this....got to go out now need to go coach basketball..... :)

Hi Danny,

Thank you very much for your helpful and prompt support.

I hope all is well with your basket ball coaching :)

Great, your notes make it clear on what options we have now.

Many thanks a gain.

Thanks,

Zahran

That was my initial thought, we'd do this as a post_auth enforcement action, but were tied into the same restriction in that post_auth is triggered from RADIUS accounting start or interim-accounting update. We need to do this post-auth as we need the IP address to let PANW know as this is key for them to help match the session. We can't do an HTTP enforcement as this fires before we have the IP address.