Security

I was curious if anyone had the CPPM/PAN integration running successfully with PAN-OS 7.0.1. Back in Febuary we had run a POC with a couple of PAN boxes and setting up the trigger updates for session-notify was a breeze. Fast forward to today, and we've finally received our own PAN boxes which we have running in tandem with the POC boxes while we export configs etc. On the CPPM side, I created two additional enforcement profiles (one for each new appliance), assigned them to the appropriate policies, and... nothing.

I've combed over the configs of the old POC vs new PAN boxes and everything is the same except for the version of PAN-OS and user account type. The old POCs are on 6.1.3 and the new boxes are on 7.0.1. The old POCs are being updated via full-blown admin accounts whereas I'm attempting to get the XML API USER-ID role working on the new boxes (per the Aruba & PAN Integretion guide). Just to rule it out, I changed the accounts on the new boxes to full-blown admins and they are still not sending UID info.

Running through CPPM logs shows the following:

2015-08-13 10:44:36,554 ERROR  root             pactrlmonitprofile Failed to fetch auth_token using the auth_URL=https://xxx.xxx.xxx.xxx/api/?type=keygen&user=cppm-admin&password=$$$$$$$

2015-08-13 10:44:36,555 INFO   root             pactrlmonitprofile PADeviceFullUserName=use_netbiosname

2015-08-13 10:44:36,555 DEBUG  root             pactrlmonitprofile Sending UID mapping with NETBIOS prefix to Palo Alto device

2015-08-13 10:44:36,555 WARNING root             pactrlmonitprofile Not sending userid object for padevice=xxx.xxx.xxx.xxx as auth_token is empty

2015-08-13 10:44:36,555 WARNING root             pactrlmonitprofile Not sending userid object for padevice=xxx.xxx.xxx.xxx as auth_token is empty

I thought that maybe I had gotten my passwords mixed up between CPPM and PAN, but I can take that auth URL, fille in the PAN IP along with appropriate username/password, paste it in a browser, and get a success/API key returned from PAN.

I've got a TAC case open but figured I'd poll the audience here to see if anyone has this working already. If no one has any ideas, I suppose I'll be rolling back to PAN-OS 6.x this weekend and report my findings.

Hello,

We recently became aware of an interoperability issue in the PAN OS 7.x and CPPM. Upon a joint investigation between the CPPM & PANW engineers it appears there was a change made in the 7.x code. I've just reached out to see if I can get an update from PAN regarding the release of a patch that will incorporate a fix. Once I have some news I will update this thread.

@dannyjump - Appreciate the update. You may want to pass word along to TAC, as the engineer I spoke to yesterday was unaware of any existing issues between CPPM & PAN-OS 7. I will definitely continue to monitor this thread for a patch ETA.

For anyone else having similar issues, I downgraded from PAN-OS 7.0.1 to 6.1.6 and immediately saw the XMLAPI communication with CPPM come back.

Just FYI 7.0.2 was released yesterday.

@dannyjump - Appreciate the follow up. My maintenance window has come and gone, but when I get the next opportunity to upgrade our PAN box I will verify that 7.0.2 is working correctly with CPPM.