Dynamic user group using HIP log tagging

Reply
L4 Transporter

Dynamic user group using HIP log tagging

Hi Team,

 

I am trying to create a Dynamic user group using Log settings for HIP logs by the following procedure,


1- created one Tag
2- Configured log settings for HIP log for build in action tagging the source user with the tag created before
3- created a dynamic group with the above tag as match criteria.

The dynamic users are not getting registered even though HIP logs are there. It is working fine for User-id logs (instead of HIP logs). i have tested in PanOS 9.1 as well as 10.0. Both versions are showing same behaviur. Have anybody faced the same ?.

 

Thanks in advance

L7 Applicator

steps 1 and 3 should be very straight forward, but could you provide more details on step 2, as there are several variables you didn't include here

did you set any filters? remote or local userID, ...

 

 

Tom Piens - PANgurus.com
Like my answer? check out my book! amazon.com/dp/1789956374
L4 Transporter

Hi @reaper 

 

Just added log settings for HIP match logs with builtin action tagging source user with the tag created, no log filter is used.

tagging source user,

Target : - user

Action :- Add tag

Registartion :- Local User-ID

Timeout :- 20 min

Tag :- Tag created in first step

L7 Applicator

have you verified logs are actually being created/forwarded that should trigger this tag?

try adding a syslog or email profile to the same rule as the 'built-in action' rule to make sure there's actually logs

Tom Piens - PANgurus.com
Like my answer? check out my book! amazon.com/dp/1789956374
L4 Transporter

Hi @reaper ,

 

Thanks!.

I can see the logs are created in HIP match logs under the monitor tab.

When I have a similar setup for user-id logs, I can see the dynamic user group is getting populated along with the new entry in 'user-id' logs.

i can see the email alert as well if I configure the email receiver.

One thing to notice is the user-id logs have 'user' column but the HIP log has 'source user', not sure this is causing the issue in the background.

L0 Member

Back in ClearPass version 6.5 released in March 2015, some new features were added and a couple of older
features modified to improve their function.
Policy Manager, when it’s aware of the posture/health for an endpoint, can share this information with Palo
Alto. ClearPass gathers different health class information from the OnGuard client, context such as the state
of the endpoint firewall (enabled/disabled, engine version), derives a posture state, and then returns a
healthy/un-healthy state per class back to the Palo Alto firewall. There are 10 classes that can be reported
against and they are covered later in the document.

 

 

 

typhoon tv 

L4 Transporter

Hi @reaper /Community

 

Appreciate if you were able to replicate the issue in the lab. looks like a configuration limitation to me as it is not working in any PanOS version for HIP logs.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!