topic Re: How to convince PAN to know UID mapping for all vsys in General Topics

How to convince PAN to know UID mapping for all vsys

segap — Wed, 24 Jun 2015 10:31:18 GMT

Hi,

We use multi-vsys and XMP API for UID. It works fine for vsys1. We use this sintax for login:

<uid-message>

<type>update</type>

<login>

</entry>

</login>

</payload>

</uid-message>

After I paste this sintax in https://PAN_IP/API/<user-id> I see in CLI:

> show user ip-user-mapping ip 10.1.1.1.

IP address: 10.1.1.1 (vsys1)
User:        user1
From:        XMLAPI
Idle Timeout: 1196s
Max. TTL:    1196s
Groups that the user belongs to (used in policy)

Question is, how to do, that PAN will recognized this user for all vsys?

I already enable User Identification in zone in vsys 2, and configure in Device->User Identification->Group Mapping Settings LDAP server. I can also see groups in "Group Include List" tab.

Any hint?

Thx, Peter

Re: How to convince PAN to know UID mapping for all vsys

cpainchaud — Wed, 24 Jun 2015 13:38:27 GMT

you do the same for all vsys (1 API call per vsys) or set redistribution between VSYS (through the use of loopbacks)

Re: How to convince PAN to know UID mapping for all vsys

segap — Mon, 29 Jun 2015 08:53:59 GMT

Exactly. We don't set redistribution between vsys. For now, I don't know yet exactly how to do it right (one IP call to one IP). 2 loopbacks means 2 IPs and 2 IP calls, what we don't want. I can't reconfigure existing loopback as share interface, because its production and UID will stop working... But I will look in tech guide.