This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

The dreaded User-ID, Dynamic TAGS, XMLAPI and Multi-vsys

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

The dreaded User-ID, Dynamic TAGS, XMLAPI and Multi-vsys

gfirth77
L0 Member

‎11-11-2021 03:05 PM

Hi Community, my first post so hopefully I am in the right area.

I am running a multi-vsys setup with 5220's in Active-Active HA and using XMLAPI calls from Aruba ClearPass to send login/logout info as well as tags for use in dynamic object groups. It seems to be hit and miss with tags being registered for clients/IP addresses particularly on one vsys. From ClearPass I send the client info via the External Context Server function to all firewalls and vsys using the data plane and it seems quite random/intermittent with the multi-vsys setup.

I have been through Aruba TAC for a few weeks now and I also have a case with Palo TAC looking at this also. An original ticket I had with Palo for this, I was sharing user-id between vsys using vsys1 as a user-id Hub, but that does not share dynamic tags info, only user-id so we went with sending the info to each vsys using a data plane interface. It seems to work, but the issue is, its intermittent/random. Most of the time it seems we get the 'login' info to both vsys, but the 'tag' is sometimes not registered with the vsys. I think this is a Palo problem, given we have debugged this to the nth degree on the ClearPass side.

I am wondering if anyone else out there has used a similar setup? I am running PANOS 10.0.4. I have seen a bunch of user-id updates in future firmware and I have asked the TAC to investigate if anything is related to my problem. Thanks.

1 REPLY 1

JimRussell
L0 Member

‎05-01-2023 02:12 PM

For what it's worth, I had some weird issues with IP-User mapping and then when I went from CPPM (I believe) 6.8 to 6.9 to 6.10, things mysteriously became better. Aruba didn't have anything to say about it. Now, as far as dynamic tags, I'm re-visiting that.

0 Likes Likes
  • 2129 Views
  • 1 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks