Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

The dreaded User-ID, Dynamic TAGS, XMLAPI and Multi-vsys

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

The dreaded User-ID, Dynamic TAGS, XMLAPI and Multi-vsys

L0 Member

Hi Community, my first post so hopefully I am in the right area.

I am running a multi-vsys setup with 5220's in Active-Active HA and using XMLAPI calls from Aruba ClearPass to send login/logout info as well as tags for use in dynamic object groups. It seems to be hit and miss with tags being registered for clients/IP addresses particularly on one vsys. From ClearPass I send the client info via the External Context Server function to all firewalls and vsys using the data plane and it seems quite random/intermittent with the multi-vsys setup.

I have been through Aruba TAC for a few weeks now and I also have a case with Palo TAC looking at this also. An original ticket I had with Palo for this, I was sharing user-id between vsys using vsys1 as a user-id Hub, but that does not share dynamic tags info, only user-id so we went with sending the info to each vsys using a data plane interface. It seems to work, but the issue is, its intermittent/random. Most of the time it seems we get the 'login' info to both vsys, but the 'tag' is sometimes not registered with the vsys. I think this is a Palo problem, given we have debugged this to the nth degree on the ClearPass side.

I am wondering if anyone else out there has used a similar setup? I am running PANOS 10.0.4. I have seen a bunch of user-id updates in future firmware and I have asked the TAC to investigate if anything is related to my problem. Thanks.

1 REPLY 1

L0 Member

For what it's worth, I had some weird issues with IP-User mapping and then when I went from CPPM (I believe) 6.8 to 6.9 to 6.10, things mysteriously became better. Aruba didn't have anything to say about it. Now, as far as dynamic tags, I'm re-visiting that.

  • 2129 Views
  • 1 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!