Hello Tim,
First of all, thanks for reporting!
Problem: Palo Alto timeout expects minutes, not seconds (At least on 6.1,
can't say for sure, so the timeout is set WAY higher than it should be.
Resolution: $timeout = ( $timeout / 60); in PaloAlto.pm
Were you using Palo Alto before 6.1 ? I’d change it but I don’t want it to
break previous versions. I’ll have a look at their “Changelog”.
Problem: SSO (And update_iplog in general from pfdhcplistener) use the clients
REQUESTED lease time for SSO updates. For an iPhone, I see 7776000. This
isn't what the DHCP server said to use, so its inaccurate.
Solution: Move the call to firewallsso from the parse_dhcp_request sub to
parse_dhcp_ack sub.
You are effecively right. We should consider the ACK in that case. The problem
that I see would be when PacketFence is configured to receive a copy of the
DHCP traffic in L3 environment… in thoses cases, ACK is sent unicast to the
requesting client which means that PacketFence wouldn’t receive a copy of it...
Also. I actually disabled update_iplog in parse_dhcp_request, and for DHCPACK
CIADDR in parse_dhcp_ack because it seems to generate a TON of extra iplog
entries every time devices rebind. Ive never seen one with a lease time
defined, so it seems redundant.
Which version of PacketFence are you running ? Starting with v5, we modified
iplog so that there’s no new entry beeing created and we are “updating”
existing ones.
Cheers!
dw.
--
Derek Wuelfrath
[email protected] :: +1.514.447.4918 (x110) :: +1.866.353.6153 (x110)
Inverse inc. (www.inverse.ca) :: Leaders behind SOGo (www.sogo.nu) and
PacketFence (www.packetfence.org)
On May 15, 2015 at 12:53:45, Tim DeNike ([email protected]) wrote:
Problem: Palo Alto timeout expects minutes, not seconds (At least on 6.1,
can't say for sure, so the timeout is set WAY higher than it should be.
Resolution: $timeout = ( $timeout / 60); in PaloAlto.pm
Problem: SSO (And update_iplog in general from pfdhcplistener) use the clients
REQUESTED lease time for SSO updates. For an iPhone, I see 7776000. This
isn't what the DHCP server said to use, so its inaccurate.
Solution: Move the call to firewallsso from the parse_dhcp_request sub to
parse_dhcp_ack sub.
Also. I actually disabled update_iplog in parse_dhcp_request, and for DHCPACK
CIADDR in parse_dhcp_ack because it seems to generate a TON of extra iplog
entries every time devices rebind. Ive never seen one with a lease time
defined, so it seems redundant.
------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
