Security

Reply
Moderator

UPDATED TechNote V6: ClearPass and Palo Alto Networks Integration

ClearPass Team,

 

Please find updated information and details related to ClearPass and Palo Alto Networks Integration, this is our V6 of this Integration guide.

 

In this release, I have re-wrote and updated a large section of this document to remove a lot of the ‘old’ PAN-OS 5.x integration information, we have also migrated the document to the new TechNote template.

 

More interestingly I have added a new section covering the new functionality related to passing ClearPass ROLE context/labels and how to configure the PANW to use this context [Dynamic Access Groups/TAGS] to drive enforcement in the firewall. This has long been a request from customers since our initial CPPM/PANW integration over 4 years ago.

 

You can find the document on the support site located here https://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Command/Core_Download/Default.aspx?EntryId=25444

 

  

 

Happy reading – go fill your boots..!!….. comments and feedback/suggestions graciously accepted. 

 


Best Regards
-d

ClearPass Product Manager

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Contributor I

Re: UPDATED TechNote V6: ClearPass and Palo Alto Networks Integration

HI Danny,

I implemented the integration between CPPM + PAN using  dot1x authentication and firewall policy using the roles. Fantastic !!

What about VPN client scenario implementation? If I undestand the lack of accounting, in this case, doesn't allow CPPM to generate XML API. Is it right?

Do you think it could be possible to use roles in firewall policy when client is connecing in VPN using global protect.

Thanks

Guru Elite

Re: UPDATED TechNote V6: ClearPass and Palo Alto Networks Integration

Unfortunately, this is not possible today. Please note that GlobalProtect will use its own user authentication information for user-id.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Contributor I

Re: UPDATED TechNote V6: ClearPass and Palo Alto Networks Integration

Ciao,

at the and I did it. I used Ingress Events to match the login and logout and I used an enforcement via HTTP Generic API.

1) I configured Paloalto to send via syslog just two event login and logout;

2) I configured Ingress Events to match and I extracted the user and IP address released by Global protect;

3) I created two Endpoint Context Server Actions to send XML API (Register and Unregister) Dynamic Address Group.

4) At the end I created the enforcememnt profile.

 

When the user login CPPM sends the enforcement DAG Register API (I attached either  to the user's RADIUS authenticartion Enforcement and to Ingress Event). The first one is more reactive than the second one. When the user logoff, the Ingress Event sends the UnRegister API.

 

Thanks to the Aruba Community and to ClearPass Product!

I'm going writing a document regarding the configuration.

 

Contributor I

Re: UPDATED TechNote V6: ClearPass and Palo Alto Networks Integration

Hi ipagliani,

 

I'm wondering if you could shed more light on how you set up the ingress event matching? We're running into the same issue with GlobalProtect not sending RADIUS accounting data.

 

We've configured the syslog exports on Palo Alto on log-in / log-out events for VPN users but we can't seem to get the dictionary correct in CP to be able to match off Username / IP address.

 

Any insight you can provide would be appreciated!

 

Thanks!

MVP

Re: UPDATED TechNote V6: ClearPass and Palo Alto Networks Integration

I just found this and it looks like you'll be solving a few of my integration issues.

One question, is there an (another) update in the works?

CPPM 6.7 has some divergence from the version in your examples - starting on page 10 where there isn't a line reading "Enable Profile" for example.

--Matthew

if I've helped, please give kudos
if I've provided a solution, please mark the solution so others can find it
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: