ClearPass and Palo Alto Networks

Integration Guide

Palo Alto Networks

ClearPass
Integration Guide

ClearPass and Palo Alto Networks - Integration Guide 1

 ClearPass and Palo Alto Networks
Integration Guide

Change Log

Version Date Modified By Comments

2019-01 Nov 2019 Arpit Bhatt Consolidated Integration Guide

2020-01 June 2020 Danny Jump Reviewed with Jeff Hochberg from Palo Alto
Networks

Copyright
©Copyright 2020 Hewlett Packard Enterprise Development LP.

Open Source Code

This product includes code licensed under the GNU General Public License, the GNU Lesser General Public License, and/or
certain other open source licenses. A complete machine-readable copy of the source code corresponding to such code is
available upon request. This offer is valid to anyone in receipt of this information and shall expire three years following the
date of the final distribution of this product version by Hewlett- Packard Company. To obtain such source code, send a
check or money order in the amount of US $10.00 to:

Hewlett-Packard Company
Attn: General Counsel
3000 Hanover Street
Palo Alto, CA 94304
USA

Please specify the product and version for which you are requesting source code. You may also request a copy of this
source code free of charge at [email protected].

ClearPass and Palo Alto Networks - Integration Guide 2

 Contents
Introduction................................................................................................................................................................................. 5
Software Requirements ............................................................................................................................................................... 6
Installation and Deployment Guide ............................................................................................................................................. 6
Pre-Requisites for the Integration ............................................................................................................................................... 6
Egress Context Sharing with NGFW ............................................................................................................................................. 7
ClearPass Policy Manager Configuration ................................................................................................................................. 7
PostAuth v2 – Recommended post 6.8.0 ............................................................................................................................ 7
Setting Palo Alto Networks User Identification Timeout................................................................................................... 10
Adding Context Servers ..................................................................................................................................................... 10
Adding Enforcement Profile, Policy and Service................................................................................................................ 12
NGFW Configuration ............................................................................................................................................................. 13
API Access .......................................................................................................................................................................... 13
Tags and Dynamic Address Groups ................................................................................................................................... 14
HIP Objects and Profiles .................................................................................................................................................... 17
Examples................................................................................................................................................................................ 18
Location and Device Aware Policy ..................................................................................................................................... 19
Posture data ...................................................................................................................................................................... 23
Guest with MAC Caching ................................................................................................................................................... 27
Egress Context Sharing with Panorama..................................................................................................................................... 31
Adding Context Servers ..................................................................................................................................................... 31
Adding Enforcement Profile .............................................................................................................................................. 33
Threat Protection Using Ingress Event Engine .......................................................................................................................... 34
ClearPass Policy Manager Configuration ............................................................................................................................... 34
Enable Ingress Event Engine .............................................................................................................................................. 34
Enable Dictionaries ............................................................................................................................................................ 35
Add Event Source .............................................................................................................................................................. 36
Service Configuration ........................................................................................................................................................ 36
Tuning Ingress Event Engine (Optional)............................................................................................................................. 39
Changing Syslog Port (Optional) ........................................................................................................................................ 39
Palo Alto Networks Configuration ......................................................................................................................................... 39
Example ................................................................................................................................................................................. 40
GlobalProtect VPN with OnGuard Health Updates ................................................................................................................... 42
Why the need for an Extension? ....................................................................................................................................... 43
Step I: Configuration and Installation of the Extension ..................................................................................................... 44
Step II: Configuration of Context Server Action, Enforcement Profiles and Services within ClearPass Policy Manager ... 45
Step III: Configuration of a TAG in Palo Alto Networks Firewall ........................................................................................ 50
Troubleshooting Tips ................................................................................................................................................................. 51
Dynamic Device (Tag) <-> IP Address Mapping ................................................................................................................. 52
UserID <-> ClearPass Roles ................................................................................................................................................ 53
UserID <-> Showing all Dynamic DAGs .............................................................................................................................. 53

www.arubanetworks.com
3333 Scott Blvd
Santa Clara, CA 95054
Phone: 1-800-WIFI-LAN (+800-943-4526)
© 2019 Hewlett Packard Enterprise Development LP. All Rights Reserved. Fax 408.227.4550

ClearPass and Palo Alto Networks - Integration Guide 3

 Show HIP Reports .............................................................................................................................................................. 54
Some additional Debugging Commands............................................................................................................................ 54
Show XMLAPI statistics ...................................................................................................................................................... 55
Real-Time debug monitoring of the UserID process ......................................................................................................... 56
ClearPass Policy Manager Logs files .................................................................................................................................. 57
Sending login UserID + Source IP@, as user logs in ........................................................................................................... 58
Adding IP@ to Category, as ClearPass profiles the IP@ .................................................................................................... 58
Sending logoff UserID + IP@, as user logouts.................................................................................................................... 59
Removing IP@ from Category as device logout ................................................................................................................ 59
XML example of HIP Object ............................................................................................................................................... 59
ClearPass Extension Log files ............................................................................................................................................. 59
Ingress Event Engine Logs.................................................................................................................................................. 60

ClearPass and Palo Alto Networks - Integration Guide 4

 Introduction
This document is intended to help field engineering, customers, and channel partners integrate ClearPass Policy Manager
(CPPM) with Palo Alto Networks Next-Generation Firewall (NGFW). CPPM integration with Palo Alto solves several
interesting use cases. This guide covers the following

1. Sending device and user context aggregated by CPPM to NGFW, for example

a. Sending user to IP mapping

b. Federating ROLE to TAG for DAG applied policy access

c. Sending HIP Data for applied policy access

d. Leveraging mac-auth for Guest/Visitor access to drive Guest/Visitor polices access

2. Sending device and user context aggregated by CPPM to Panorama (Palo Alto Networks’ centralized management
platform for NGFW)

3. Receiving feedback from NGFW to quarantine malicious endpoints

4. Sending ClearPass OnGuard Posture data over to NGFW to Quarantine non-compliant GlobalProtect VPN
endpoints

Palo Alto Networks NGFW offers contextual security for all users which enables granular application access. Simple
firewalling using IP addresses or TCP port numbers only provides a subset of the enhanced security required for enterprises
to secure their networks. For example, it’s no longer acceptable to just ‘deny Twitter’ or ‘deny Facebook’ access. Many
organizations use social networking web sites to advertise their products, solutions, and activities. Legacy firewalls are not
able to differentiate valid authorized users from casual social networking users. Today’s challenge to allow Facebook based
upon contextual data such as username makes it almost impossible for legacy firewalls to implement granularity in their
security policy. For this to happen, the firewall needs to correlate between the user and the assigned IP address. The
challenge is finding meaningful sources of user information covering the full spectrum of network activity, including known
users, guests, and non-enterprise users. ClearPass Policy Manager can act as a source of truth providing this correlation.
CPPM is a context aggregator and has information about the user and device which can be shared with the firewall for
granular policy enforcement at the perimeter using NGFW.

A larger enterprise may have a large number of NGFWs and would want to leverage the role assignment via Panorama.
CPPM can leverage Panorama’s APIs for Role assignment as well.

NGFW has advanced capabilities that help detect malicious threats, malware etc. Leveraging global threat intelligence with
integration of Threat Prevention, URL Filtering and WildFire can also help detect both and unknown threats. Advanced
Persistent Threats popularly known as APTs are identified and discovered by NGFW. Once a threat or a malware or
malicious behavior is detected, NGFW notifies ClearPass Policy Manager of its existence and the endpoints responsible for
the behavior. CPPM leverages its endpoint context database and gets the IP and user associated with the device, flags the
endpoint and can take real time action on the endpoint irrespective of whether it is connected to wired or wireless
networks or GlobalProtect VPN clients. This action could vary between a complete deny, a restricted quarantine to a
notification to the IT team leveraging ITSM tool APIs. It is a very powerful mechanism within ClearPass Policy Manager
known as Ingress Event Engine which essentially takes a feedback from your existing security solutions, in this case NGFW
and takes real time action on compromised endpoints.

ClearPass and Palo Alto Networks - Integration Guide 5

 GlobalProtect establishes a secure SSL/IPsec VPN connection to NGFW. This enables users’ access to Corporate data or
infrastructure similar to a traditional VPN. Customers can leverage the benefits of ClearPass OnGuard to ensure compliance
of the device before granting access to the sensitive corporate data and infrastructure via GlobalProtect. ClearPass
OnGuard can incorporate a wide range of Health checks on Windows, macOS and Linux. These endpoints connecting via
GlobalProtect enables ClearPass OnGuard to send the posture data to ClearPass OnGuard. This data can then be used to
evaluate the health of the endpoint before granting access to GlobalProtect VPN clients. The access can be dynamically
changed by assigning appropriate roles on NGFW via Tags and Dynamic Address Groups.

Software Requirements
The minimum in support software version required for ClearPass Policy Manager is 6.7.0. At the time of writing, ClearPass
Policy Manager 6.9.1 is the latest available and recommended release. Any subsequent ClearPass software release will
support this integration. ClearPass runs on either hardware appliances with pre-installed software, or as a Virtual Machine
under the following hypervisors. Hypervisors that run on a client computer such as VMware Player are not supported.

• VMware ESXi 6.0 6.5, 6.6, 6.7 or higher

• Microsoft Hyper-V Server 2012, 2016 R2 or 2019
• Hyper-V on Microsoft Windows Server 2012, 2016 R2 or 2019
• Amazon EC2
• KVM on CentOS 7.5 or later.

The minimum software version on the Palo Alto Networks firewall is PAN-OS 8.1.0, released in March 2018. However, it is
recommended that you regularly review software updates to utilize the benefits from the latest fixes and feature updates
from Aruba and Palo Alto Networks.

Installation and Deployment Guide

This document assumes your ClearPass environment is already configured and operational. If you require assistance with
basic deployment, refer to the following deployment guide:

http://www.arubanetworks.com/techdocs/ClearPass/Aruba_DeployGd_HTML/Default.htm

Pre-Requisites for the Integration

Following steps are the pre-requisites for the integration to be successful. These are some of the basic configuration steps
necessary for the integration to work.

1. ClearPass Policy Manager node should have access to NGFW or Panorama over port 443 which is used for API
communication. Syslog port (UDP 514) should be open between NGFW and/or Panorama and CPPM for Ingress
Event Engine.

ClearPass and Palo Alto Networks - Integration Guide 6

 2. Enable Insight on your CPPM node or in the cluster. Insight collates the records necessary to be sent to the PAN-OS
XML API.

Under Administration > Server Manager > Server Configuration > System, check the option to ‘Enable Insight’.

3. Enable RADIUS Interim-Accounting Updates logging on CPPM. This can be checked at Administration > Server
Manager > Server Configuration > Service Parameters. The default is FALSE. Ensure its configured as TRUE.

Some Network Access Devices (NADs) do not send the Framed-IP address in Accounting start packet. Ensure
Interim Accounting is enabled on these NADs. By default, most of the NADs do not send the Interim Accounting
data even after enabling Accounting. Enabling Accounting results in NADs sending Accounting Start and Accounting
Stop at the beginning and the end of the session respectively.

Egress Context Sharing with NGFW

This section covers the first use case discussed in the Introduction section. The configuration below helps us share the
context that ClearPass Policy Manager aggregates with NGFW. ClearPass Policy Manager can share user to IP correlation,
user role, device context, share Posture data with NGFW. This section covers the configuration required for egress context
sharing.

ClearPass Policy Manager Configuration

PostAuth v2 – Recommended post 6.8.0

The data that CPPM collates and writes into the Insight database is extracted and written to NGFW or Panorama by a
daemon called PostAuth. This daemon runs periodically as determined by the PostAuth Eager Handles setting. Several
seconds can elapse between when the client has authenticated and obtains its IP address and when the NAS sends RADIUS

ClearPass and Palo Alto Networks - Integration Guide 7

 Accounting packets to ClearPass (it needs this for the client IP address). Assuming that Profiling is enabled, ClearPass then
will profile the endpoint. Following these steps ClearPass has the attributes it needs to update NGFW or Panorama which,
in turn, is used in Security Policy Rules that control the level of access GlobalProtect VPN clients have to the network. Once
the data is gathered the PostAuth daemon will POST this data to NGFW or Panorama.

By default, PostAuth daemon wakes up every 30 seconds to process the jobs and send the corelated data to NGFW or
Panorama. This timer can be lowered to an aggressive value depending on the load on the ClearPass Policy Manager server
handling the request. A value of 10 seconds is recommended.

Lowering the Eager handler must be done with care, it can affect other system functions if its process to much syslog.

Starting 6.7.3, CPPM has enhanced the PostAuth daemon for higher scalability. PostAuthv2 is disabled by default and must
be enabled by the customers, however in 6.9.0 it becomes the default.

This can be enabled from “Cluster-Wide Parameters” under Administration > Server Manager > Server Configuration.

It is strongly recommended to enable PostAuth v2 for this Integration.

ClearPass and Palo Alto Networks - Integration Guide 8

 The Async Network services have to be restarted after enabling PostAuth v2. This can be done under Administration >
Server Manager > Server Configuration. Click on the server and navigate to Services Control tab as shown below.

ClearPass and Palo Alto Networks - Integration Guide 9

 Setting Palo Alto Networks User Identification Timeout

PAN-OS XML API requires a value for the User Identification Timeout along with the correlation data posted. This value is
set to 45 mins by default on NGFW.

This is set to the same default value in ClearPass as well. The value can be configured under Administration > Server
Manager > Server Configuration > Service Parameters as shown below.

Adding Context Servers

Navigate to Administration > External Server > Endpoint Context Servers > Add Context Server and select Palo Alto
Networks Firewall, enter the required IP address of the Palo Alto Networks Firewall, and a username/password pair that
ClearPass Policy Manager will use to send user/endpoint context data.

ClearPass and Palo Alto Networks - Integration Guide 10

 Configuration attribute Description Example/Values

Server Type Enter the FQDN or IP address of the server 10.1.1.1/pan1.arubasecurity.net

Server Base URL This gets auto generated. Do not modify.

Authentication Method Select Basic

Username and Password Specify the credentials required to access Palo Alto
Networks APIs. Steps in next section “NGFW
Configuration”

Username Transformation The username posted from ClearPass to Palo Alto None, Prefix NetBIOS Name, Use
Networks can be transformed using this option Full Username

None - User ID updates and HIP Reports will only

have an entry for the username.

Prefix NetBIOS Name - User ID updates will have an

entry as NetBIOS Name\username; the HIP Report
will also have NetBIOS Name\username, and will
include NetBIOS Name as domain field

Use Full Username - User ID updates will have an

entry as Full Username propagated by policy server.

Validate Server Check the box to validate the server certificate Disable/Enable

Enable Server This enables the context server. Ensure it is checked Disable/Enable
if being used.

Bypass Proxy If enabled, the HTTP proxy server configured within Disable/Enable
ClearPass is ignored.

IP Version Specify whether CPPM should share the IPv4 or IPv6 IPv4, IPv6 or Both
address of the endpoint or both with the NGFW.
Default is IPv4

NGFW User-ID requires the user identity in the format domain\username. Policies on NGFW or Panorama can then be configured to use
the “domain” portion of the domain\username if required

ClearPass and Palo Alto Networks - Integration Guide 11

 Adding Enforcement Profile, Policy and Service

Context Server Actions are triggered using an enforcement profile. Administrator can pick and choose a context server
action that can be sent to NGFW.

An example of the enforcement profile to send all the data is shown below. The actions not required to be sent can be
skipped.

The data sent can serve different use cases. The use cases will be covered in the section to follow.

Completing the configuration from this point is standard ClearPass workflow. An Enforcement Policy needs to be created
with the action to call the Enforcement Profile, or an existing policy needs to be modified to add this new profile. The
example below is based upon an AD group membership match for the user.

In the below example, CPPM will send an update to NGFW or Panorama when the authenticated user is a member of the
AD Group ns-tme.

ClearPass and Palo Alto Networks - Integration Guide 12

 Next, an example of adding the Enforcement policy to a Service.

NGFW Configuration
Following configuration is required on the NGFW for ClearPass to successfully send the data to the Firewall. Once the data
is received, NGFWs can leverage the context gathered for multiple use cases.

API Access

For CPPM to send data to a NGFW, you should create a dedicated account. It’s possible to use the built-in admin account,
however this is not recommended. Create a new account that will be used solely for the purpose of this communication.
Create a role-based account, this account can be limited to only communicating with the Palo Alto Networks firewall via the
XML API.

Under the Device tab and Admin Roles create an admin-role as below. Ensure that you disable all the options on the Web UI
Tab and the XML API except the User-ID Agent as shown below.

ClearPass and Palo Alto Networks - Integration Guide 13

 Next create the actual Administrator account. This will be used when defining NGFW or Panorama instances within CPPM
as shown in the section “Adding Context Server”.

Again, under the Device tab but this time under Administrators create an admin user.

In this example, add an admin user account called admin-cppm. See how it references the profile cppm-xml-role created in
the previous step. This profile is limited to the User-ID agent APIs.

The Next generation firewall integration helps federate and apply user and device context aware policies. This context can
be applied primarily using Tags and Dynamic Address Groups. It can also be applied using HIP Objects and HIP Profiles
although the former method is more popular and widely used.

Tags and Dynamic Address Groups

Tags are essentially the identifiers. Multiple Tags can leverage the AND/OR Boolean logic to be combined into a Dynamic
Address Group. Leveraging the PAN-OS XML API, the client IP address is correlated with these Tags or Dynamic Address
Groups. NGFW can essentially utilize these Tags or Dynamic Address Groups to then apply policies.

Tags can be defined statically on the firewall and/or registered (dynamically) to NGFW or Panorama. All entities that have
the tags and match the defined criteria become members of the dynamic group. The difference between Static and
Dynamic Tags is that Static Tags are part of the NGFW configuration, and Dynamic Tags are part of the runtime
configuration. A commit is not required to update Dynamic Tags; the tags must however be used in policy and the policy
must be committed on the device.

The Roles in ClearPass Policy Manager can be mapped to tags on NGFW or Panorama to simplify the security
interoperability between solutions. As an example, ClearPass Policy Manager is able to understand the concept of a
location, be that from a switch or from within the wireless network such as an Aruba AP-Name. This location information
can be mapped to role and hence the location can be used in Security Policy Rules to restrict access from or to a secure or
restricted resource/application using tags.

Let us look at an example where a user who is a memberOf group PLM gets assigned a different Security Policy Rule within
NGFW.

ClearPass and Palo Alto Networks - Integration Guide 14

 An example of Role Mapping in CPPM is shown below

When the user cam, who is memberOf the group PLM attempts authentication. Following is the screenshot from Access
Tracker. The Roles assigned by ClearPass is PLM and [User Authenticated].

Create Tags to match the roles being sent from ClearPass Policy Manager. Note these Tags are case specific. Go to Objects >
Tags. Click on Add.

ClearPass and Palo Alto Networks - Integration Guide 15

 After building the Tags, these need to be ‘grouped’ into one or more Dynamic Address Groups. The address groups are then
used to match in Security Policy Rules. This can be done under Objects > Address Groups.

The below firewall rule uses the Dynamic Address Group to match on the PLM-role and has an action of Drop. Hence tags
are required to be mapped into Dynamic Address Groups and Dynamic Address Groups are used within Security Policy. The
Security Policy can be configured under Policies tab.

Finally, below is the log from Monitor > Logs > Traffic showing the rule created dropping traffic based for the user matching
PLM Dynamic Address Group.

ClearPass and Palo Alto Networks - Integration Guide 16

 Similarly, the combination of roles in CPPM and Dynamic Address Groups in NGFW or Panorama can be used to create
granular policies that are enforced by NGFW.

HIP Objects and Profiles

HIP Objects and Profiles can also be leveraged within the policies created on the NGFW. This requires a valid GlobalProtect
Gateway license and should only be used if the role match option with Tags and Dynamic Address Groups cannot achieve
the desired use case. Let us look at one example for reference.

Select the Object Tab, then under GlobalProtect, you will find the HIP Objects and HIP Profiles. On the bottom left-hand
side click “Add”. This adds a new HIP Object. HIP Profiles are a collection of HIP Objects in a similar way that Dynamic
Address Groups are a collection of Tags. When creating a HIP Object, use only the options on the General Tab in the match,
the below example shows using the Host OS.

In the example below, all the Windows XP devices are blocked. Create a HIP Object for OS Contains Microsoft and
Windows XP.

As shown above, the host details are sent using HIP data from CPPM. HIP Report from CPPM sends Domain, OS, Client
Version (Device Name in CPPM endpoint repository) and Host Name.

ClearPass and Palo Alto Networks - Integration Guide 17

 Similarly, 2 more HIP Objects XP 2 and XP 3 were created for OS = Windows XP Home and Windows XP Professional
respectively. As a next step, these multiple HIP objects are grouped into a HIP profile. This is under the same tab Objects >
GlobalProtect > HIP Profiles. Click on Add. Type XP in the Match box and then click on “Add Match Criteria”. Once done,
add XP 1 or XP 2 or XP 3.

This HIP Profile can now be used in the Security Policy. This can be added under Policies > Security. Click on Add. Select the
HIP Profile under the User tab as shown below.

Sample Policy is shown below

Although an example is shown above using a HIP Profile, the above use case can also be achieved using Role Mapping in
ClearPass Policy Manager and mapping the roles to Tags and Dynamic Address Groups and should be preferred.

Examples
The section “Tags and Dynamic Address Groups” covers and example or a use case leveraging Active Director membership.
Similarly, the section “HIP Objects and Profiles” covers an example for blocking Windows XP endpoints. Let us look at some

ClearPass and Palo Alto Networks - Integration Guide 18

 more example use cases that can be achieved with this integration. These scenarios will use CPPM role mappings with Tags
and Dynamic Address Groups on NGFW.

Location and Device Aware Policy

Let us consider a scenario where an administrator would like to block media streaming applications for users connecting to
the wireless network in India. It has been observed that due to a large amount of video traffic originating from India office,
users are facing constraints with bandwidth and hence the user experience with corporate applications is poor and slow. A
policy that’s blocks all employees from accessing YouTube traffic from the India office needs to be implemented.

Let’s walk through this example and understand the key aspects of configuration that can help us achieve this integration.

• Role Mapping in ClearPass Policy Manager

The first condition validates if user is authenticating with his active directory credentials. It can be something as
specific as group membership within Active Directory.

The second condition checks for the AP-Name which is one of the computed attributes from RADIUS. The AP-Name
contains India which is used to classify if the connection is coming from India and an appropriate role is assigned.
One can also leverage the Device Groups within CPPM to assign this role as shown with the third condition.

Notice, the rules evaluation algorithm selects all the roles that match. Role mapping can be designed as per the use
case and gives an administrator a wide range of options for a very granular policy.

• Enforcement Profile on CPPM

ClearPass and Palo Alto Networks - Integration Guide 19

 Notice the actions sent by the enforcement profile. Only the login Info and roles are sent for the session. It is not
necessary to send HIP data, device data or posture data since it’s not being used.

• Tags in NGFW

Create 2 Tags “Employee” and “India” whose names should exactly match with the roles to be sent.

• Maps these tags to the Dynamic Address Groups to be used in NGFW Security Policy Rules

• Policy on NGFW which maps the Dynamic Address Group

• Access Tracker results on CPPM

ClearPass and Palo Alto Networks - Integration Guide 20

 • Traffic blocked on NGFW

• Let make this policy device aware. The policy needs to be enhanced to block YouTube on personal smart devices
only. ClearPass Policy Manager has a profiling engine that can classify device using several active and passive
profiling techniques. In this example DHCP fingerprinting was used.

ClearPass and Palo Alto Networks - Integration Guide 21

 Notice the change in role mapping below.

The Dynamic Address Group and Tag need to be modified accordingly on the NGFW.

In this case, the traffic will only be blocked if accessing from a smart device but will not be blocked from a computer which
makes the policy device aware.

Look at the highlighted traffic in the box. Traffic from 10.2.100.221 is from a MacBook which is allowed access whereas
traffic from 10.2.100.205 is from iPad which is blocked by NGFW.

Please note, device aware policies can also be created using HIP Objects, but the flexibility of roles and tags makes it much
easier to implement and hence preferred.

ClearPass and Palo Alto Networks - Integration Guide 22

 Posture data

ClearPass OnGuard is an agentless and agent-based solution that reports health or posture attributes associated with an
endpoint. It can collect several health attributes from an endpoint based on the client OS and these can be leveraged to
define granular policies. The Posture data can also be used to assign roles on a NGFW thereby restricting access if the
endpoint is not using the latest version of Antivirus or is basically not adhering to company’s compliance policy.

There are 2 ways of achieving this.

1. Create a Context Server Action with static role

2. Use Endpoint attributes with Role Mapping

Here the first approach has been used since it leverages cache data and is more efficient.

• Role Mapping cannot be used here as shown in the previous example since posture evaluation within CPPM
happens after role mapping. A new Context Server Action to send a static role needs to be created. Create a copy
of Register Role and Unregister Role Context Server Action. Change the name of the action and include the static
role in the Content to be posted as highlighted below.

A similar copy and modification for Unregister Role needs to be created as well.

• Enforcement Profile leveraging the above Context server actions needs to be created as shown below.

ClearPass and Palo Alto Networks - Integration Guide 23

 • The above enforcement profile should be applied when the System Posture Token is Quarantine as shown in the
Enforcement Policy below.

Observe the enforcement policy above. The condition 1 leverages posture token from the WEBAUTH service.

A WEBAUTH service is essentially triggered by OnGuard when sending the posture information of the endpoint.
OnGuard collects health or posture data from the endpoint and posts that data to CPPM using HTTPS. This
interaction shows up in CPPM as a WEBAUTH on access tracker. To leverage the posture token in the RADIUS
service, it is important to check the highlighted checkbox that allows the service to use cached roles and posture
attributes.

The 2nd condition in the Enforcement Policy above is redundant and is only shown as an example here to highlight
the level of granularity that the policy can be defined with. One can either leverage the aggregate System Posture
Token or can leverage the posture of individual health classes within OnGuard.

Configuration of ClearPass OnGuard is beyond the scope of this document.

• Ensure the role being sent using the context server action is configured as a Tag on NGFW and is subsequently
used in a Dynamic Address Group to be leveraged within the Security Policy.

ClearPass and Palo Alto Networks - Integration Guide 24

 • A Security Policy Rule defined is shown below

If an endpoint is non-compliant, it is denied access to key internal resource. As an example, a simple policy which
denies some applications is used here. This policy could be defined based on the customer requirement and
infrastructure.

• Let us look at the actual scenario now where an endpoint connects and the posture status is non-compliant or
unhealthy.

ClearPass and Palo Alto Networks - Integration Guide 25

 The Antivirus on the endpoint is not updated as per the compliance requirements and hence the posture status
shows quarantine. Since the role cannot be posted to NGFW within a WEBAUTH service, a terminate session
enforcement profile is sent along with the Quarantine Agent enforcement profile which basically notifies the user
of the compliance of the endpoint.

A terminate session results in a re-authentication so that the policy can be re-evaluated using the RADIUS service.
The cached system posture status token used in the RADIUS service is shown below. Observe the enforcement
profiles triggered as well

CPPM sends the static Context Server Action with the Quarantine role defined earlier to the NGFW.

ClearPass and Palo Alto Networks - Integration Guide 26

 • NGFW blocks ssh traffic to internal network as defined by the Security Policy based on the Quarantine role that got
assigned as the Tag for that IP. The tag belongs to the Unhealthy address group defined.

The second approach for leveraging posture information to send roles can be achieved using Entity Update enforcement
profile. The configuration is easy to achieve and is beyond the scope of this guide as the above method should be preferred.

Guest with MAC Caching

ClearPass Guest is an easy-to-use visitor management service that delivers automated guest access workflows for visitors,
contractors etc. One of the regulatory requirements for providing free visitor internet or hotspot in many countries is to log
the traffic for the visitor. This is required for auditing purposes. Traditionally these logs were stored with mac address or IP
address of the endpoint hence not very useful for forensics unless the user details can be correlated.

CPPM can provide User-to-IP correlation thereby making these logs very useful for auditing. An example of the logs from
NGFW is shown below.

CPPM can also send the role of the user. For example, if the user is a guest or a contractor. Relevant policies can be applied
on NGFW or Panorama using role to tag mapping as explained multiple times within this document.

MAC caching is a popular feature within CPPM and is almost always used with ClearPass Guest access. A visitor who has
authenticated on the network is allowed on the network automatically for the stipulated mac-cached interval to enhance
user experience. It prevents users from having to re-login after every disconnect.

ClearPass and Palo Alto Networks - Integration Guide 27

 Once the user reconnects, it essentially uses MAC authentication in the backend to allow this user. The issue with this
approach is that the username EQUALS mac address in this scenario and hence if the integration with NGFW is enabled, the
MAC address gets posted as the username as shown below.

An easiest way to fix this is send the username attribute that is appended to the Endpoint within CPPM rather than sending
the actual username used for authentication.

Generally, the services for visitor authentication is created with an easy-to-use wizard. The service by default has a MAC
Caching enforcement profile that appends user information to the endpoint as shown below.

Thus, it is important to send %{Endpoint:Username} instead of the MAC address as a username to the NGFW.

The easiest way to achieve this is to create a context server action where the content is replaced to
send %{Endpoint:Username}.

• Create a copy of “Send Login Info” and “Send Logout Info”. Rename them and replace the content as highlighted
below.

ClearPass and Palo Alto Networks - Integration Guide 28

 • Use the above Context Server Action in the Enforcement Profile that will be tied to the MAC caching service as
shown below.

• The default MAC authentication service created with the wizard for Guest with MAC Caching using the above
enforcement profile will be

ClearPass and Palo Alto Networks - Integration Guide 29

 • This will ensure the correct user info is correlated with the IP on the NGFW for users authenticating with MAC
address.

ClearPass and Palo Alto Networks - Integration Guide 30

 Egress Context Sharing with Panorama
Palo Alto Networks Panorama is the centralized management system for NGFW. ClearPass Policy Manager provides a built-
in option to integrate directly with Panorama, which in turn will forward the information to firewalls it manages.

If the integration is with Panorama, all the steps for egress context sharing with NGFW remains exactly the same except the
fact that a different endpoint context server needs to be added. Palo Alto Networks Panorama is added as an endpoint
context server and the enforcement profile needs to reference the Panorama IP rather than a Firewall IP. These steps are
shown below. Rest of the steps remain exactly the same as the previous section “Egress Context Sharing with Palo Alto
Networks Firewall”

Adding Context Servers

Navigate to Administration > External Server > Endpoint Context Servers > Add Context Server and select Palo Alto
Networks Panorama, enter the required IP address of the Panorama, and a username/password pair that ClearPass Policy
Manager will use to send user/endpoint context data.

Configuration attribute Description Example/Values

Server Type Enter the FQDN or IP address of the server 10.1.1.1/pan1.arubasecurity.net

Server Base URL This gets auto generated. Do not modify.

Authentication Method Select Basic

ClearPass and Palo Alto Networks - Integration Guide 31

 Username and Password Specify the credentials required to access Palo Alto
Networks APIs. Steps in next section “Palo Alto
Networks Configuration”

Username Transformation The username posted from ClearPass to Palo Alto None, Prefix NetBIOS Name, Use
Networks can be transformed using this option Full Username

None - User ID updates and HIP Reports will only

have an entry for the username.

Prefix NetBIOS Name - User ID updates will have an

entry as NetBIOS Name\username; the HIP Report
will also have NetBIOS Name\username, and will
include NetBIOS Name as domain field

Use Full Username - User ID updates will have an

entry as Full Username propagated by policy server.

Palo Alto Networks Firewall Enter serial numbers of the NGFW instances 1234567890
Serial Numbers managed by Panorama

Validate Server Check the box to validate the server certificate Disable/Enable

Enable Server This enables the context server. Ensure it is checked Disable/Enable
if being used.

Bypass Proxy If enabled, the HTTP proxy server configured within Disable/Enable
ClearPass is ignored.

IP Version Specify whether CPPM should share the IPv4 or IPv6 IPv4, IPv6 or Both
address of the endpoint or both with NGFW. Default
is IPv4

ClearPass and Palo Alto Networks - Integration Guide 32

 Adding Enforcement Profile

Finally, a minor tweak in the enforcement profile where the Server Type is Palo Alto Networks Panorama and the Server IP
is the Panorama management interface and not NGFW as shown below.

ClearPass and Palo Alto Networks - Integration Guide 33

 Threat Protection Using Ingress Event Engine
This section covers the 3rd use case specified in the “Introduction” section. Ingress event engine enables 3rd party security
platforms to send feedback to ClearPass Policy Manager. This feedback is usually in the form of a syslog message which is
parsed using a pre-loaded or a custom dictionary. This allows for an event-driven real time enforcement to happen on the
network infrastructure and hence enables a very effective security framework.

The ingress event engine dictionaries for Palo Alto Networks exists by default within ClearPass Policy Manager. There are 2
dictionaries readily available for use

a) Threat dictionary

b) Traffic dictionary

Each of these dictionaries are used to parse a different syslog message type sent to CPPM by NGFW. The threat dictionary
as the name suggests helps to parse syslog message associated with a security threat. Similarly, if an endpoint is hitting a
deny ACL, a syslog associated with this event can be sent to CPPM so that it can parse the message and take relevant
actions if necessary.

ClearPass Policy Manager Configuration

Enable Ingress Event Engine

Enable ingress event engine on a CPPM node. If you have a cluster, pick the node serving the least amount of traffic. An
important point to remember is that ClearPass Policy Manager is not a syslog server. Hence one should not inundate CPPM
with syslog messages rather only send the relevant messages which warrant an action. Ensure appropriate filters are used
to send syslog messages.

To enable ingress event engine, navigate to Administration > Server Manager > Server Configuration. Click on the server
which will be responsible for processing the syslog events and Enable Ingress Events Processing as shown below.

When ingress event engine, a warning stating it is a CPU intensive operation is thrown. Click Yes to continue and ensure you
Save the server configuration settings.

ClearPass and Palo Alto Networks - Integration Guide 34

 This step checks the services associated with ingress events called Ingress logger service and Ingress logrepo service.
Ensure these services are running under Administration > Server Manager > Server Configuration. Select the server where
ingress events processing is enabled and go to Services Control tab to check if the services below are running.

Enable Dictionaries

The ingress event engine requires a dictionary to parse the contents of the syslog message and extract useful data from it.
The dictionary for NGFW is available within CPPM but disabled by default. This needs to be enabled under Administration >
Dictionaries > Ingress Events. The Threat Syslog dictionary is shown as an example below. Enable Traffic Syslog dictionary
as well if required.

ClearPass and Palo Alto Networks - Integration Guide 35

 Add Event Source

To allow CPPM to accept and process syslog data from a syslog source, an event source needs to be defined. If an IP of the
syslog source is not defined, CPPM will simply discard the data adding a layer of security for the syslog exchange.

This can be configured under Configuration > Network > Event Sources. Click on Add.

Specify a Name and add the IP address of the source that will send the Syslog message. Ensure the Vendor is set to Palo
Alto Networks and the Event Source is enabled.

Service Configuration

A special service of type Event-based Enforcement is required for processing ingress events. This service looks at the
pattern of the syslog message for classification and then leverages an enforcement profile for action. The enforcement
profiles typically used are for dynamically changing roles using Change of Authorization (CoA). The new role can completely
restrict access, throw a captive portal showing the reason for quarantining of an endpoint for a better user experience or
restrict bandwidth. CPPM can also leverage its rich set of third-party integrations and trigger a helpdesk ticket or leverage
its own REST APIs to trigger an email.

Let us look at the service configuration below. Go to Configuration > Services {Add}. Select Type as Event-based
Enforcement.

ClearPass and Palo Alto Networks - Integration Guide 36

 Check the service classification rule. It looks for <VALUE> in the Pattern-Name from the syslog message received. This
service will not be called into action if the match does not exist and it will show up as a service classification failure within
Access Tracker. This tag “PANW-Threat” is essentially added by the dictionary upon parsing the syslog.

The next part of the service configuration is the Enforcement tab, which determines actions pertaining to a condition. The
actions within CPPM are defined using enforcement profiles. A sample enforcement policy used for the service is shown
below. Ensure the enforcement policy created is using Enforcement Type as Event.

In the enforcement policy above, the service is looking for the field log_sub_type which is derived when the parser passes
the syslog message sent. If the field contains the value “vulnerability”, relevant actions are taken.

Let us look at the actions.

1. The first action is a CoA, which dynamically changes the role of the affected endpoint on a switch or wireless
controller hence restricting its access at the edge of the network.

2. CPPM can also leverage its own REST APIs to trigger an email using the SMTP server configured. Here it triggers an
email for the security operations center notifying them of this event.

3. ClearPass exchange integrates with Service Now, BMC Remedy and other ITSM tools. The 3rd Enforcement Profile
creates a Service Now ticket for IT visibility and management.

Configuration steps for all of these enforcement profiles is beyond the scope of this guide. Use-cases may vary for every customer and a
sample flow is shown here.

Change of Authorization(CoA) enforcement profile used is shown below

ClearPass and Palo Alto Networks - Integration Guide 37

 Following are the screenshots for the enforcement profile – “Email Security Operations Center” for reference.

The action defined above is the context server action. This context server action can be directly imported using
https://github.com/aruba/clearpass-exchange-snippets/tree/master/messaging/clearpass-smtp

A valid SMTP server needs to be configured on ClearPass Policy Manager for this to work.

Creating tickets with Service Now is beyond the scope of this guide. It is shown here to explain the range of possible
actions. One can even trigger calls or SMS using Pagerduty or Twilio or 3rd party messaging applications.

ClearPass and Palo Alto Networks - Integration Guide 38

 Tuning Ingress Event Engine (Optional)

The processing of the received syslog involves multiple steps including parsing and writing this data before an event can be
triggered. The Ingress Event Engine processes these messages in batches with the default timer for Batch Processing
Interval set to 30 seconds. This can be tweaked to a value as low as 10 seconds for quicker action however it requires
enough resources on the server for the value to be as low. In scenarios where a dedicated hardware is used for Ingress
Events this value can be lowered considering we maintain the rule of not flooding CPPM with syslog messages and only
send the ones that require an action.

This value can be tweaked under Administration > Server Manager > Server Configuration. Click on the server and go to
Service Parameters and select Async network services.

Changing Syslog Port (Optional)

The logger service within CPPM is listening on TCP/UDP port 514 (default) for syslog messages. This can be changed if
required under Administration > Server Manager > Server Configuration. Click on the server and go to Service Parameters
and select Ingress logger service

Palo Alto Networks Configuration

A syslog message for events that warrant an action needs to be triggered from the Palo Alto Networks Firewall. As
discussed before, ensure relevant filters are used to avoid ClearPass Policy Manager from being flooded with syslog
messages.

A sample configuration of Custom Syslog Format in our lab is shown below. For further assistance on this contact your Palo
Alto Network expert. This can be configured on a NGFW under Device > Server Profiles > Syslog.

Specify the IP of the node on which Ingress Event Engine is enabled as the Syslog Server below.

ClearPass and Palo Alto Networks - Integration Guide 39

 The custom log format is shown below. Details on this are available in Palo Alto Networks docs here

Once configured, CPPM should receive syslog message in the above format. Remember CPPM will drop the traffic if it
comes from an unknown source. Hence, ensure you add the source of event as explained in the section “Add Event
Source”.

Example
Let us look at the sample use case where an action is triggered upon receiving a vulnerability detection message from Palo
Alto Networks Firewall.

• CPPM receives a threat syslog associated with a vulnerability. The syslog message received is as shown below.

Nov 22 00:08:13 PA-3020.ns-tme.com : 1,2019/11/22 00:08:13,001801014231,THREAT,vulnerabil-

ity,1,2019/11/22 00:08:13,10.2.100.205,140.205.159.56,0.0.0.0,0.0.0.0,,Malware Check,cam,,web-
browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,Log Forward to Splunk,2015/05/07
00:08:13,22583,2,42697,80,0,0,0x0,tcp,reset-both,"check_config_update",shareit-config-
POST(41001),any,high,client-to-server,1222,0x0,10.0.0.0-10.255.255.255,CN,

• ClearPass Policy Manager will parse this message using the dictionary and the ingress event engine. The event-type
service will catch the request as shown below. Let us look at the computed attributes in the access tracker. These

ClearPass and Palo Alto Networks - Integration Guide 40

 are the attributes pulled from the syslog message and collated by CPPM leveraging its own context associated with
the user and the endpoint.

The syslog message sent from a security system like NGFW does not contain the mac-address of the endpoint but
usually sends the IP or username details of the infected endpoint. ClearPass Policy Manager leverages Insight
database and correlates this information to act on an appropriate endpoint.

ClearPass and Palo Alto Networks - Integration Guide 41

 All the above attributes captured can be used in the policy. The enforcement Policy used here leverages the
condition that if Event:PANW-Threat:log_sub_type = vulnerability a CoA is triggered to change the role.

Different threat alerts can be triggered from NGFWs and forwarded to CPPM. Different actions using enforcement
profiles can be triggered based on the conditions defined within the enforcement profile.

• In this case, the device is quarantined using CoA. A change of user role is triggered for the Aruba Controller. This
could also be an Aruba switch. A dynamic ACL or VLAN can be sent for other NADs. A disconnect can also be sent
for re-evaluation of the policy. Custom attributes can also be written in the endpoint repository for this device
which can be leveraged for visibility or policy.

GlobalProtect VPN with OnGuard Health Updates

ClearPass and Palo Alto Networks - Integration Guide 42

 This section covers the 4th use case discussed in the Introduction section. Palo Alto Networks GlobalProtect establishes a
secure SSL/IPsec VPN Connection to the next-generation Firewall. This enables users’ access to corporate data or
infrastructure similar to a traditional VPN.

Customers can leverage the benefits of ClearPass OnGuard to ensure compliance of the device before granting access to
the sensitive corporate data and infrastructure over GlobalProtect VPN. ClearPass OnGuard can incorporate a wide range of
health checks on Windows, macOS and Linux. Refer ClearPass OnGuard TechNote on support site for more details.

https://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Command/Core_Download/Default.aspx?
EntryId=33302

These endpoints connecting over VPN enables ClearPass OnGuard to send the posture data to ClearPass server. This data
can then be used to evaluate the health of the endpoint before granting access over VPN. The access can be dynamically
changed by assigning appropriate roles on the Firewall. Hence a restricted access role can be applied if the endpoint does
not meet the desired compliance policy.

Why the need for an Extension?

1. The native Palo Alto Networks integration can only be triggered off RADIUS accounting start and stop messages.
Most VPN solutions, including GlobalProtect do not use RADIUS accounting.

2. The native integration also pulls the client IP address from RADIUS accounting. This IP information is required
when posting the tag to NGFW.

3. A generic HTTP endpoint context server could not be used due to the workflow required to acquire an API key and
maintain its lifecycle.

Challenges #1 and #2 can be worked around by using HTTP Enforcement and sending the updated TAG to Palo Alto
Networks within the WEBAUTH request triggered by OnGuard. However, it would still fail as the session key management
fails. Hence, an extension was built to addresses the problem of the API session key management. Correct and updated
session keys are required to post the tag to NGFW leveraging the XML APIs. It is the responsibility of the extension to
handle API key management and the final API call assembly.

In order to configure this, three steps need to be completed;

• Configuration and installation of the extension

• Configuration of context server action and service within ClearPass Policy Manager

• Configuration of a tag in NGFW

The configuration of ClearPass OnGuard and Palo Alto Networks GlobalProtect VPN is beyond the scope of this document

Let’s look at each of the configuration steps in detail to achieve this workflow.

ClearPass and Palo Alto Networks - Integration Guide 43

 Step I: Configuration and Installation of the Extension

Starting in ClearPass 6.7, a Graphical User Interface (GUI) was introduced to make the process of interacting with the
extension framework easier. To access the extension GUI, from the ClearPass Guest navigate to Administration >
Extensions. From here, click on ‘Install Extension’, and the search box below appears. Enter the keyword “Palo” and click
on ‘Search’. Click on the Extension and it will provide an option to ‘Install’ as shown below.

Usually IP assignment is not a mandatory step when trying to install an extension. However, in this case it is recommended
to use a static IP for extension as shown below.

A static IP used ensures that the extension IP stays constant as it will be used in the HTTP enforcement profile to be
configured later. Make a note of this IP.

ClearPass and Palo Alto Networks - Integration Guide 44

 After the extension has been installed, review the extension configuration as necessary and adjust as needed. Notice the
options to Start, Delete, Reinstall or Show Logs and the option to review and set the extension configuration. Click on the
Configuration option to view the default configuration shown below.

{
"panHost": "host.name",
"panUser": "user.name",
"panPassword": "********",
"verifySSLCerts": true,
"logLevel": "INFO"
}

The configuration needs to be modified based on the setup. The configuration attributes are explained in the table below

Configuration attribute Description Example/Values

panHost Palo Alto Networks Firewall IP or Hostname 10.1.1.1 or pan1.arubasecurity.net

panUser An NGFW administrator username that has Refer Figure 46

access over the XML APIs

panPassword Administrator user password Refer Figure 46

verifySSLCerts Should SSL certificates be validated when true/false

communicating with PAN Firewall

logLevel Logging level for troubleshooting "DEBUG", "INFO", "WARN", "ERROR"

Step II: Configuration of Context Server Action, Enforcement Profiles and Services within ClearPass Policy
Manager

ClearPass Policy Manager gets the system posture token using OnGuard. This posture token can be leveraged to send a tag
to Palo Alto Networks. A tag is sent to NGFW to quarantine the endpoint connected using GlobalProtect VPN. Let’s look at
the steps to achieve this.

The best way to configure this step is to import the XML available on Aruba GitHub. Kindly refer the link to download the
XML.

https://github.com/aruba/clearpass-exchange-snippets/tree/master/extensions

If the extension uses the IP 172.17.0.51 as configured in previous page, the file can be imported directly without any
changes. For any other IP, open the file in an editor of your choice and replace the IP with the extension IP configured. The
IP address needs to be replaced 12 times in the file.

The XML can be imported from Configuration > Enforcement > Profiles. Click on Import and select the file downloaded to
import.

ClearPass and Palo Alto Networks - Integration Guide 45

 A total of 4 Context Server Actions, 1 Endpoint Context Server and 2 Enforcement Profiles are imported using the XML.

If for some reason, the file cannot be imported each of the above needs to be configured manually. Steps are included
below for reference.

Endpoint Context Server

A Generic HTTP context server needs to be defined which will be used to POST the desired context to the extension
installed. The extension would then leverage the information and make an API call to NGFW to post the XML contents.

Remember this step is not required if the above XML has already been imported.

In order to define an endpoint context server, navigate to Administration > External Servers > Endpoint Context Servers.
Click on Add.

Use the IP address of the extension configured.

Please change the Server Base URL to use http. Username and Password can be left blank.

Remember this is primarily configured to POST the contents to extension which is a micro-service application within the
ClearPass Policy Manager.

Context Server Actions

There are primarily 2 context server actions that need to be used for this integration.

The first action is used to send the Quarantine tag to NGFW. This should be tied to the condition when the posture is
Quarantine or Unhealthy.

Remember this configuration includes copying XML contents, hence it is always recommended to import these using XML
to avoid any syntax errors. These actions described below are the part of the enforcement profile if already exported.

ClearPass and Palo Alto Networks - Integration Guide 46

 In order to configure these manually, please navigate to Administration > Dictionaries > Context Server Actions {Add}.

Select the Endpoint Context Server configured in previous step.

Under the Header tab, add the Content-Type = application/xml as shown below.

The Content is of type XML that needs to be posted to the extension which acts as a proxy and POSTs it to the NGFW.

ClearPass and Palo Alto Networks - Integration Guide 47

 A similar Context Server Action needs to be created to unregister the Quarantine Posture Tag. This is used to move the user
from Quarantine role back to Healthy. The only thing that differs in this Context Server Action is the Content.

Following is the Content to be Posted for both the actions.

1. Register Quarantine Tag

<uid-message><version>1.0</version><type>update</type><payload><register><entry ip="%{Connec-
tion:Client-IP-Address}"><tag><member>QUARANTINE</member></tag></entry></register></pay-
load></uid-message>

2. Unregister Quarantine Tag

<uid-message><version>1.0</version><type>update</type><payload><unregister><entry ip="%{Con-
nection:Client-IP-Address}"><tag><member>QUARANTINE</member></tag></entry></unregister></pay-
load></uid-message>

Enforcement Profiles

Finally, the context server actions are triggered using enforcement profiles. Enforcement Profiles of type HTTP Based
Enforcement needs to be created. Navigate to Configuration > Enforcement > Profiles. Click Add. Create 2 enforcement
policies for Register and Unregister action and map them as shown below.

ClearPass and Palo Alto Networks - Integration Guide 48

 Sample Service Configuration

The best way to use the HTTP enforcement profile in this scenario is within the enforcement policy defined in the
WEBAUTH for OnGuard. If OnGuard determines the posture token for the endpoint as UnHealthy, assign the Quarantine tag
on the Firewall.

The service created here helps to compute the posture or compliance associated with the endpoint. The WEBAUTH service
has a posture policy tied to it which determines the health class checks for a particular endpoint. Configuration of OnGuard
is beyond the scope of this guide.

To create a service, go to Configuration > Services. Select the type as Web-based Health Check.

Following is the snapshot of the enforcement policy within the WEBAUTH service for reference.

ClearPass and Palo Alto Networks - Integration Guide 49

 Step III: Configuration of a TAG in Palo Alto Networks Firewall

Add the QUARANTINE (case sensitive) tag on NGFW. Go to Objects > Tags. Click Add.

Next step is to navigate to Objects > Address Groups and add a mapping for Dynamic Address Group(DAG) as shown below.

This Dynamic Address Group(DAG) can then be used in Firewall policy to match quarantined sessions. This can be created
under Policies > Security in the Firewall. A sample policy is shown below.

ClearPass and Palo Alto Networks - Integration Guide 50

 Remember that the OnGuard requires communication to be enabled between endpoint to ClearPass Policy Manager on TCP
port 443 and TCP port 6658 even when Quarantined. If blocked, the posture information is not sent successfully to CPPM
server. Also, enable the necessary communication for remediation services within the quarantine policy defined.

Troubleshooting Tips
This section walks through some useful commands that can be executed on a NGFW CLI. It also captures details on useful
log files within ClearPass Policy Manager which can be used for troubleshooting.

UserID <-> IP Address Mapping

To look at the user’s that are logged in and their IP address mapping, use the following command: show user ip-user-
mapping all

Use the command show user ip-user-mapping ip [ip address] to show additional information where user attributes are
being used by Palo Alto Networks policies.

ClearPass and Palo Alto Networks - Integration Guide 51

 The value of Idle Timeout shown above will be Never for PAN-OS 7. Starting PAN-OS 8.0, this is set to 45 minutes by default as shown in
the section “Setting Palo Alto Networks User Identification Timeout”.

Following is the output of the same command in a setup running PAN-OS 8 and ClearPass 6.7 and above.

Dynamic Device (Tag) <-> IP Address Mapping

Use the following command: debug user-id dump registered-ip all

ClearPass and Palo Alto Networks - Integration Guide 52

 UserID <-> ClearPass Roles

Use the following command: debug user-id dump registered-ip all

UserID <-> Showing all Dynamic DAGs

To show the pre-configured DAG groups and their use in policy, use the following command: show object dynamic-address-
group all

ClearPass and Palo Alto Networks - Integration Guide 53

 Show HIP Reports

To display the HIP data related to an endpoint (assuming it is available) use the command: debug user-id dump hip-report
computer <c> ip <i> user <u>. Note you have to supply specific values for computer, IP, and user.

Some additional Debugging Commands

Showing the HIP database: debug user-id dump hip-profile-database

ClearPass and Palo Alto Networks - Integration Guide 54

 Show XMLAPI statistics

The below is a high-level view of the XMLAPI statistics. If there is zero activity here then you can assume some serious
configuration or network problems exist between ClearPass and the Palo Alto Networks devices.

debug user-id dump xmlapi-stats

ClearPass and Palo Alto Networks - Integration Guide 55

 Real-Time debug monitoring of the UserID process

A very effective way to monitor the XML API process in real-time is using the following commands. This will set up an
interactive (like tail –f) rolling update for the UserID process.

debug user-id on debug

debug user-id set userid all

tail follow yes mp-log useridd.log

Remember to disable the logging debug user-id off

The final debug command for the Palo Alto Networks Firewall shows all of the UserID Manager Data. This shows all users
that have been registered through the XMLAPI process.

debug user-id dump idmgr type user all

ClearPass and Palo Alto Networks - Integration Guide 56

 ClearPass Policy Manager Logs files

ClearPass collects multiple log files that can assist the administrator in debugging ClearPass Policy Manager to Palo Alto
Networks integration problems. The process that triggers sending data via the XML API is performed by the Post
Authentication daemon which updates the postauthctrl.log file if using PostAuth v1 and postauth.log if using PostAuth v2.
Checking this log file can provide a valuable insight into the workings of this process on the ClearPass Policy Manager side
and possible issues related to the communication with Palo Alto Networks endpoint.

To collect and access this log file takes multiple steps, please follow these steps:

Under Administration > Server Manager > Server Configuration, select your system if you have a cluster then click ‘Collect
Logs’.

You only need to collect as highlighted below ‘Logs from all Policy Manger services’ to obtain the postauthctrl.log file.

This will save significantly on the log collection process and the corresponding download file is much smaller. If you are not
able to analyze an issue and you engage Aruba TAC, it is likely they will want system logs in addition to the Policy Manager
services logs.

ClearPass and Palo Alto Networks - Integration Guide 57

 Once you have located the postauthctrl.log file, there are certain entries you will want to look for; several examples are
shown below. These provide an insight into the XML API communication between ClearPass and the Palo Alto Networks
Firewall. Once a user has associated and been authenticated, if the service match that authenticates the user has a
post_authentication Palo Alto Networks trigger then you should be able to match that session to an entry in this log file.

Below are five example messages sent from CPPM to a Palo Alto Network endpoint. You would expect to find these or very
similar ones within the log file. The last one shown is specific for HIP Objects.

Sending login UserID + Source IP@, as user logs in

<uid-message>
<version>1.0</version>
<type>update</type>
<payload>
<login>
<entry name="dannyj" ip="10.4.28.110"/>
</login>
</payload>
</uid-message>

Adding IP@ to Category, as ClearPass profiles the IP@

<uid-message>
<version>1.0</version>
<type>update</type>
<payload>
<register>
<entry identifier="SmartDevice" ip="10.4.28.110"/>
</register>

ClearPass and Palo Alto Networks - Integration Guide 58

 </payload>
</uid-message>

Sending logoff UserID + IP@, as user logouts

<uid-message>
<version>1.0</version>
<type>update</type>
<payload>
<logout>
<entry name="dannyj" ip="10.4.28.110"/>
</logout>
</payload>
</uid-message>

Removing IP@ from Category as device logout

<uid-message>
<version>1.0</version>
<type>update</type>
<payload>
<unregister>
<entry identifier="SmartDevice" ip="10.4.28.110"/>
</unregister>
</payload>
</uid-message>

XML example of HIP Object

Sending username, domain-name, host-name, IP@ and client-version (OS-type).

<uid-message>
<version>1.0</version>
<type>update</type>
<payload>
<login>
<entry name="ClearPasseccert\certuser1" ip="192.168.100.1"><hip-report>
<md5-sum>aaea39d589a1f7540d137e56a6d60b31</md5-sum>
<user-name>certuser1</user-name>
<domain>ClearPasseccert</domain>
<host-name>toshi-driver-32</host-name>
<ip-address>192.168.100.1</ip-address>
<generate-time>06/03/2014 12:01:31</generate-time>
<categories><entry name="host-info">
<host-name>toshi-driver-32</host-name>
<domain>ClearPassECCERT</domain>
<client-version>Windows 7</client-version>
</entry></categories>
</hip-report></entry>
</login>
</payload>
</uid-message>

ClearPass Extension Log files

After the Logs have been collected and exported from the system, expand the GZ file and locate the extension logs in the
following location ‘PolicyManagerLogs > extension’ as shown below. These logs are required when troubleshooting an
install of GlobalProtect extension.

ClearPass and Palo Alto Networks - Integration Guide 59

 Ingress Event Engine Logs

Syslog messages sent to CPPM are silently dropped if the event source is not defined under Configuration > Network >
Event Sources.

The message received by CPPM is picked up by the logger service in CPPM. Once a message successfully reaches the logger
it is logged under igesyslog.log. This file can be accessed under PolicyManagerLogs > igesyslog.

The sample message format received by the logger is the message format that the dictionary needs to be written for. The
grok parser should be able to parse this message successfully.

<13>1 2019-11-22T00:08:13+05:30 PA-3020.ns-tme.com - - - : 1,2019/11/22

00:08:13,001801014231,THREAT,vulnerability,1,2019/11/22
00:08:13,10.2.100.205,140.205.159.56,0.0.0.0,0.0.0.0,,Malware Check,cam,,web-browsing,vsys1,trust,un-
trust,ethernet1/2,ethernet1/1,Log Forward to Splunk,2015/05/07
00:08:13,22583,2,42697,80,0,0,0x0,tcp,reset-both,"check_config_update",shareit-config-
POST(41001),any,high,client-to-server,1222,0x0,10.0.0.0-10.255.255.255,CN,

Once the message is received it is parsed and any further errors with parsing can be seen under PolicyManagerLogs >
async-net > ingressproc.log.

A successful parsing of the above sample message is shown below for reference. In order to get DEBUG logs for this one
needs to enable DEBUG for Async Network Services as shown below. This is under Administration > Server Manager > Log
Configuration.

ClearPass and Palo Alto Networks - Integration Guide 60

 Sample Log message for successful parsing under ingressproc.log. Notice the fields being extracted successful and being
mapped to the attributes as defined in the dictionary.

2019/11/22 23:26:26 DEBUG Response Body={

"took" : 6279,
"timed_out" : false,
"_shards" : {
"total" : 10,
"successful" : 10,
"failed" : 0
},
"hits" : {
"total" : 2,
"max_score" : null,
"hits" : [ {
"_index" : "logstash-2019.11.22",
"_type" : "logs",
"_id" : "AW6UP6UB0ykxdXaUaMeu",
"_score" : null,
"_source" : {
"@timestamp" : "2019-11-22T17:53:49.197Z",
"Event:Event-Name" : "THREAT",
"Event:Threat-Name" : "vulnerability",
"Event:Source-IP-Address" : "10.2.1.1",
"Event:Destination-IP-Address" : "140.205.159.56",
"Event:Timestamp" : "2019-11-22 23:23:49",
"Event:Username" : "cam",
"Event:Pattern-Name" : "PANW-Threat",
"Event:PANW-Threat:host" : "AB-CPPM-1",
"Event:PANW-Threat:type" : "cppm-ige-syslog",
"Event:PANW-Threat:tags" : [ "_grokparsefailure", "PANW-Threat" ],
"Event:PANW-Threat:syslog_priority" : "13",
"Event:PANW-Threat:version" : "1",
"Event:PANW-Threat:time" : "2019-11-22T00:08:13+05:30",
"Event:PANW-Threat:syslog_hostName" : "PA-3020.ns-tme.com",
"Event:PANW-Threat:future_use1" : " - - - : 1",
"Event:PANW-Threat:receive_time" : "2019/11/22 00:08:13",
"Event:PANW-Threat:serial_number" : "001801014231",
"Event:PANW-Threat:log_type" : "THREAT",
"Event:PANW-Threat:log_sub_type" : "vulnerability",
"Event:PANW-Threat:future_use2" : "1",
"Event:PANW-Threat:generated_time" : "2019/11/22 00:08:13",
"Event:PANW-Threat:source_ip" : "10.2.100.205",
"Event:PANW-Threat:destination_ip" : "140.205.159.56",
"Event:PANW-Threat:nat_source_ip" : "0.0.0.0",

ClearPass and Palo Alto Networks - Integration Guide 61

 "Event:PANW-Threat:nat_destination_ip" : "0.0.0.0",
"Event:PANW-Threat:rule_name" : "Malware Check",
"Event:PANW-Threat:source_user" : "cam",
"Event:PANW-Threat:application" : "web-browsing",
"Event:PANW-Threat:virtual_system" : "vsys1",
"Event:PANW-Threat:source_zone" : "trust",
"Event:PANW-Threat:destination_zone" : "untrust",
"Event:PANW-Threat:ingress_interface" : "ethernet1/2",
"Event:PANW-Threat:egress_interface" : "ethernet1/1",
"Event:PANW-Threat:log_forwarding_profile" : "Log Forward to Splunk",
"Event:PANW-Threat:future_use3" : "2015/05/07 00:08:13",
"Event:PANW-Threat:session_id" : "22583",
"Event:PANW-Threat:repeat_count" : "2",
"Event:PANW-Threat:source_port" : "42697",
"Event:PANW-Threat:destination_port" : "80",
"Event:PANW-Threat:nat_source_port" : "0",
"Event:PANW-Threat:nat_destination_port" : "0",
"Event:PANW-Threat:flags" : "0x0",
"Event:PANW-Threat:protocol" : "tcp",
"Event:PANW-Threat:action" : "reset-both",
"Event:PANW-Threat:miscellaneous" : "check_config_update",
"Event:PANW-Threat:threat_id" : "shareit-config-POST(41001)",
"Event:PANW-Threat:category" : "any",
"Event:PANW-Threat:severity" : "high",
"Event:PANW-Threat:direction" : "client-to-server",
"Event:PANW-Threat:sequence_number" : "1222",
"Event:PANW-Threat:action_flags" : "0x0",
"Event:PANW-Threat:source_location" : "10.0.0.0-10.255.255.255",
"Event:PANW-Threat:destination_location" : "CN",

ClearPass and Palo Alto Networks - Integration Guide 62