The article explains how the User-ID Agent Access Control List works.
Environment
Palo Alto Firewall.
Any PAN-OS.
Access Control List.
Resolution
Details
The User-ID Agent Access Control List is located under User Identification > Setup > Access Control list in the Palo Alto Networks User-ID Agent running on the Windows server.
The Access Control List allows configuring Palo Alto Networks firewalls to connect to the User-ID agent. In addition, it allows restricting unauthorized access to the agent from a non Palo Alto Networks device IP address. Access is controlled with allow and/or deny ACLs tied to a source IP address range. The ACLs are processed from top to bottom, just like a security policy on a firewall.
Click "Add" and the following window appears. Following is an example of an entry with IP address range format for a single IP address.
In the following example:
The firewall with IP address of 172.0.0.10 can access the User-ID Agent.
The firewall with IP address of 172.0.200.10 can access the User-ID Agent.
All other private IP addresses (RFC1918) are not allowed to contact the User-ID Agent.