cancel
Showing results for 
Search instead for 
Did you mean: 

Ruckus and Palo Alto User-ID on Guest Network (two different network addresses)

tony_cable
New Contributor II
Hi

We have a Ruckus zonedirector 1100 and a Palo Alto firewall.

We have 3 wi-fi networks set up. In simple terms, one internal, two on a different network.

The zone director has a 10.35.x.x address, the other networks have a 172.16.x.x address. One of the network's requires the user's to log in via there active directory credentials, and i am trying to set up the palo alto to monitor this network so i can see who has done what.

I’m assuming that I connect the palo alto to the ruckus syslog somehow, but I can’t work out how to monitor the 172.16 network.

The internal network is monitoring fine (but then again it should, as it's on the same network and part of the active directory network), but the guest network i can't seem to monitor.

Can anyone point me in the right direction please.

If you need any further information regarding my set up, please let me know

Thanks

Tony
16 REPLIES 16

dilojunior
New Contributor III
Hey Tony, take a look at this topic https://forums.ruckuswireless.com/ruc...

We also discussed the integration between Ruckus and PA. Maybe it can help you.

Cheers.

tony_cable
New Contributor II
Hi Odilo

I'm trying this, from your other link, but i'm slightly confused with one of the steps.

your adding a Server Monitoring for the Zone Director, type syslog server. What IP address do i put in there? The IP for the zone director, or the IP for the management interface (or something else).

Whatever i put in, i don't seem to be getting a source user mapping.

Also, for the Username Regex section, our usernames are letters and numbers, so i changed it to sta_name(?:=.*\\|=)([a-z0-9]+); Is that correct?

Thanks

tony_cable
New Contributor II
Don't worry, managed to sort it out. Done it in a slightly different way to what you have outlined above, but it is finally starting to sort itself out and filter correctly on the guest network.

Thanks all for help and suggestions.

dilojunior
New Contributor III
Hi, good that is working now.
Answering your question, on Server Monitoring you should add the ZD IP, that is sending the logs to the PA, kind of allowing that IP to send syslog events.

About the regex, I have used this site to test the Regex patterns regex101.com.

Can you explain to us how you managed to work ?

Thanks, cheers.

tony_cable
New Contributor II
it was more or less the same as above, but i couldn't get it to work as a Regex Identifier. It was getting the logs, but wasn't identifying the success ones, so i changed it to field identifier, and it now all appears to be working fine.

The next stage is to tidy it up so it's not sending so many logs to the Palo Alto, but it is identifying devices correctly and applying the right filters.