I am trying to create a Dynamic user group using Log settings for HIP logs by the following procedure,
1- created one Tag
2- Configured log settings for HIP log for build in action tagging the source user with the tag created before
3- created a dynamic group with the above tag as match criteria.
The dynamic users are not getting registered even though HIP logs are there. It is working fine for User-id logs (instead of HIP logs). i have tested in PanOS 9.1 as well as 10.0. Both versions are showing same behaviur. Have anybody faced the same ?.
Thanks in advance
steps 1 and 3 should be very straight forward, but could you provide more details on step 2, as there are several variables you didn't include here
did you set any filters? remote or local userID, ...
Just added log settings for HIP match logs with builtin action tagging source user with the tag created, no log filter is used.
tagging source user,
Target : - user
Action :- Add tag
Registartion :- Local User-ID
Timeout :- 20 min
Tag :- Tag created in first step
have you verified logs are actually being created/forwarded that should trigger this tag?
try adding a syslog or email profile to the same rule as the 'built-in action' rule to make sure there's actually logs
Hi @reaper ,
I can see the logs are created in HIP match logs under the monitor tab.
When I have a similar setup for user-id logs, I can see the dynamic user group is getting populated along with the new entry in 'user-id' logs.
i can see the email alert as well if I configure the email receiver.
One thing to notice is the user-id logs have 'user' column but the HIP log has 'source user', not sure this is causing the issue in the background.
Back in ClearPass version 6.5 released in March 2015, some new features were added and a couple of older
features modified to improve their function.
Policy Manager, when it’s aware of the posture/health for an endpoint, can share this information with Palo
Alto. ClearPass gathers different health class information from the OnGuard client, context such as the state
of the endpoint firewall (enabled/disabled, engine version), derives a posture state, and then returns a
healthy/un-healthy state per class back to the Palo Alto firewall. There are 10 classes that can be reported
against and they are covered later in the document.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!