- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
12-27-2020 01:35 AM
Hi Team,
I am trying to create a Dynamic user group using Log settings for HIP logs by the following procedure,
1- created one Tag
2- Configured log settings for HIP log for build in action tagging the source user with the tag created before
3- created a dynamic group with the above tag as match criteria.
The dynamic users are not getting registered even though HIP logs are there. It is working fine for User-id logs (instead of HIP logs). i have tested in PanOS 9.1 as well as 10.0. Both versions are showing same behaviur. Have anybody faced the same ?.
Thanks in advance
03-15-2021 04:50 AM
Hi Community,
Just confirmed with Palo Alto Engineering that 'Dynamic user group using HIP log tagging' is not currently supported. Palo Alto Documentation team is changing the document to remove HIP log support.
12-28-2020 01:42 AM
steps 1 and 3 should be very straight forward, but could you provide more details on step 2, as there are several variables you didn't include here
did you set any filters? remote or local userID, ...
12-28-2020 05:11 AM - edited 12-28-2020 05:19 AM
Hi @reaper
Just added log settings for HIP match logs with builtin action tagging source user with the tag created, no log filter is used.
tagging source user,
Target : - user
Action :- Add tag
Registartion :- Local User-ID
Timeout :- 20 min
Tag :- Tag created in first step
12-29-2020 03:54 AM
have you verified logs are actually being created/forwarded that should trigger this tag?
try adding a syslog or email profile to the same rule as the 'built-in action' rule to make sure there's actually logs
12-29-2020 04:00 AM - edited 12-29-2020 04:46 AM
Hi @reaper ,
Thanks!.
I can see the logs are created in HIP match logs under the monitor tab.
When I have a similar setup for user-id logs, I can see the dynamic user group is getting populated along with the new entry in 'user-id' logs.
i can see the email alert as well if I configure the email receiver.
One thing to notice is the user-id logs have 'user' column but the HIP log has 'source user', not sure this is causing the issue in the background.
12-30-2020 07:30 AM
Back in ClearPass version 6.5 released in March 2015, some new features were added and a couple of older
features modified to improve their function.
Policy Manager, when it’s aware of the posture/health for an endpoint, can share this information with Palo
Alto. ClearPass gathers different health class information from the OnGuard client, context such as the state
of the endpoint firewall (enabled/disabled, engine version), derives a posture state, and then returns a
healthy/un-healthy state per class back to the Palo Alto firewall. There are 10 classes that can be reported
against and they are covered later in the document.
01-04-2021 06:05 AM
Hi @reaper /Community
Appreciate if you were able to replicate the issue in the lab. looks like a configuration limitation to me as it is not working in any PanOS version for HIP logs.
03-15-2021 04:50 AM
Hi Community,
Just confirmed with Palo Alto Engineering that 'Dynamic user group using HIP log tagging' is not currently supported. Palo Alto Documentation team is changing the document to remove HIP log support.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!