https://live.paloaltonetworks.com/t5/general-topics/uia-pan-agent-to-firewall-communication/m-p/18157#M13231 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>Looking at the User Identification with PAN-OS 2.1 Tech Note rev00E 03/09, I can read :</P><P><EM>"The User Identification Agent must have IP connectivity to the firewall management interface.<BR />This is true even if the firewall is managed by an inline, Layer 3 interface on the firewall. All<BR />Agent communication to the firewall is sent and received through the firewall management<BR />interface. It is not possible to use an inline Layer 3 interface for this function in PAN-OS 2.1."</EM></P><P></P><P>Is it always true in the 3.0 or 3.1 version ?</P><P></P><P>I manage several isolated AD domains. These domains should have NO access to the Management network, so no access to the management interface.</P><P>If in a new version, it could be possible to establish this connectivity between the PA and the UIA on a L3 Interface (configured with a correct management profile),</P><P>- which permitted services should be enabled on the L3 interface ?<BR />- On the PA Device User Identication configuration page, How to specify the interface used to join the UIA ? (only IP/port are possible to specify)... My problem is that several domains could have overlaped subnets. Not a problem with dedicated Interface / Virtual Router, but to join the UIA... which L3 to use... ?</P><P></P><P>Thanks - Sylvain.</P></BODY></HTML> Sun, 25 Apr 2010 20:37:46 GMT slechatton 2010-04-25T20:37:46Z https://live.paloaltonetworks.com/t5/general-topics/uia-pan-agent-to-firewall-communication/m-p/18157#M13231 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>Looking at the User Identification with PAN-OS 2.1 Tech Note rev00E 03/09, I can read :</P><P><EM>"The User Identification Agent must have IP connectivity to the firewall management interface.<BR />This is true even if the firewall is managed by an inline, Layer 3 interface on the firewall. All<BR />Agent communication to the firewall is sent and received through the firewall management<BR />interface. It is not possible to use an inline Layer 3 interface for this function in PAN-OS 2.1."</EM></P><P></P><P>Is it always true in the 3.0 or 3.1 version ?</P><P></P><P>I manage several isolated AD domains. These domains should have NO access to the Management network, so no access to the management interface.</P><P>If in a new version, it could be possible to establish this connectivity between the PA and the UIA on a L3 Interface (configured with a correct management profile),</P><P>- which permitted services should be enabled on the L3 interface ?<BR />- On the PA Device User Identication configuration page, How to specify the interface used to join the UIA ? (only IP/port are possible to specify)... My problem is that several domains could have overlaped subnets. Not a problem with dedicated Interface / Virtual Router, but to join the UIA... which L3 to use... ?</P><P></P><P>Thanks - Sylvain.</P></BODY></HTML> Sun, 25 Apr 2010 20:37:46 GMT https://live.paloaltonetworks.com/t5/general-topics/uia-pan-agent-to-firewall-communication/m-p/18157#M13231 slechatton 2010-04-25T20:37:46Z https://live.paloaltonetworks.com/t5/general-topics/uia-pan-agent-to-firewall-communication/m-p/18158#M13232 <HTML><HEAD></HEAD><BODY><P>Sylvain,</P><P></P><P>Have you tried configuring the Service Route under the Device Tab and change the interface to the L3 on which you want to communicated with UIA?</P></BODY></HTML> Mon, 26 Apr 2010 10:26:31 GMT https://live.paloaltonetworks.com/t5/general-topics/uia-pan-agent-to-firewall-communication/m-p/18158#M13232 vinesh 2010-04-26T10:26:31Z https://live.paloaltonetworks.com/t5/general-topics/uia-pan-agent-to-firewall-communication/m-p/18159#M13233 <HTML><HEAD></HEAD><BODY><P>Vinesh,</P><P></P><P>Thanks for you help, it's usefull to redirect a service to an interface, but</P><P>- which service is used to connect to UIA ?</P><P>- if the subnets are overlapped, how to specify the destinations ?</P><P></P><P>Thanks - Sylvain</P></BODY></HTML> Mon, 26 Apr 2010 17:36:33 GMT https://live.paloaltonetworks.com/t5/general-topics/uia-pan-agent-to-firewall-communication/m-p/18159#M13233 slechatton 2010-04-26T17:36:33Z