I was curious if anyone had the CPPM/PAN integration running successfully with PAN-OS 7.0.1. Back in Febuary we had run a POC with a couple of PAN boxes and setting up the trigger updates for session-notify was a breeze. Fast forward to today, and we've finally received our own PAN boxes which we have running in tandem with the POC boxes while we export configs etc. On the CPPM side, I created two additional enforcement profiles (one for each new appliance), assigned them to the appropriate policies, and... nothing.
I've combed over the configs of the old POC vs new PAN boxes and everything is the same except for the version of PAN-OS and user account type. The old POCs are on 6.1.3 and the new boxes are on 7.0.1. The old POCs are being updated via full-blown admin accounts whereas I'm attempting to get the XML API USER-ID role working on the new boxes (per the Aruba & PAN Integretion guide). Just to rule it out, I changed the accounts on the new boxes to full-blown admins and they are still not sending UID info.
Running through CPPM logs shows the following:
2015-08-13 10:44:36,554 ERROR root pactrlmonitprofile Failed to fetch auth_token using the auth_URL=https://xxx.xxx.xxx.xxx/api/?type=keygen&user=cppm-admin&password=$$$$$$$
2015-08-13 10:44:36,555 INFO root pactrlmonitprofile PADeviceFullUserName=use_netbiosname
2015-08-13 10:44:36,555 DEBUG root pactrlmonitprofile Sending UID mapping with NETBIOS prefix to Palo Alto device
2015-08-13 10:44:36,555 WARNING root pactrlmonitprofile Not sending userid object for padevice=xxx.xxx.xxx.xxx as auth_token is empty
2015-08-13 10:44:36,555 WARNING root pactrlmonitprofile Not sending userid object for padevice=xxx.xxx.xxx.xxx as auth_token is empty
I thought that maybe I had gotten my passwords mixed up between CPPM and PAN, but I can take that auth URL, fille in the PAN IP along with appropriate username/password, paste it in a browser, and get a success/API key returned from PAN.
I've got a TAC case open but figured I'd poll the audience here to see if anyone has this working already. If no one has any ideas, I suppose I'll be rolling back to PAN-OS 6.x this weekend and report my findings.