I have some problem about how to integrate between Ruckus and Palo Alto.
The Palo Alto need the Ruckus syslog message which contain the IP and username for creating the policy but I tried to set Ruckus to send the syslog to Palo Alto but in the syslog messages are contain username and MAC address.
Do you have any idea how to set the Ruckus to send IP and username in syslog message of if you have any way for integration, please advice me.
I actually looked into this a while ago and I believe the correct solution would be to have Palo Alto implement Radius accounting SSO. We have a Sonicwall that does this and several other vendors offer similar capabilities but Palo Alto does not :-(. When I was in talks with them they said that the only way this would be possible was to have a one of their solutions providers come up with a solution. I am guessing they would just come up with a Radius accounting to syslog translator which you can most likely do yourself if you want using Freeradius.
I would recommend asking Palo Alto to implement Radius accounting SSO. Hopefully if enough people ask they will add that feature. If they ask you can tell them that this is one of the reasons why we stopped looking at them.
I'm not aware (offhand) of a way for a PaloAlto firewall to consume syslog information.
What are you trying to achieve?
PaloAlto has Active Directory (and other?) integration features that help it determine what user is using which computer.
(in case you want to use PaloAlto user-based ACLs?)
Are your users not using Active Directory?
If that's the case, you may be able to configure the Ruckus for Radius authentication and use an AD machine as your radius server.
If that doesn't solve your problem, please provide more detail re: what your goals are.
It is really simple actually.
After 9.8 you are able to get the user login and IP from the syslog information. So you just need to forward the syslog from ZD to PA management IP (remember enable the Syslog listener on the iface) or to a machine running the Palo Alto User-ID agent. In case of 802.1x.
In case you are using AD auth, you can simply install and run the PA User-ID on your AD server.
Of course, both cases you need to configure your PA to receive information from the agents or SysLog events filters.