https://live.paloaltonetworks.com/t5/general-topics/pan-agent-over-wan-issue/m-p/46624#M34276 <HTML><HEAD></HEAD><BODY><P>Well Ill just jump into this.</P><P></P><P>At this point in the product there is no means to prioritize which agent will be set as primary nor can we set an order of precedence on the DC's to give one a greater weight than others. This is however a feature request and is under investigation for future builds.</P><P></P><P></P><P>~Phil</P></BODY></HTML> Fri, 08 Apr 2011 17:24:17 GMT pkruse 2011-04-08T17:24:17Z https://live.paloaltonetworks.com/t5/general-topics/pan-agent-over-wan-issue/m-p/46623#M34275 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P></P><P>Just had another issue to discuss about WAN Pan Agent, if you do have time, please go through.</P><P></P><P>Local LAN PAN agent is configured for 10.0.0.0/8 network</P><P>WAN PAN agent is configured for site 1 network 10.12.111.x/24</P><P>But I have users from Site to with network 10.13.111.x/24 as well logging on to the same DC of site 1.</P><P></P><P>I think its some AD issue, though site 2 has its own DC, some users of that site log on to site 1.</P><P>And so on, some users of site 3 also do the same, and more over, there are users from the local LAN</P><P>who some times log on to the WAN DC's !!</P><P></P><P>How do I configure the pan agent to work in such an environment.</P><P></P><P>I have had issues when I configured the local PAN Agent and remote PAN Agent with same allowed list of IP's 10.0.0.0/8.</P><P class="MsoNormal"><SPAN>I have had issues</SPAN></P><P class="MsoNormal"><SPAN>with PA-FW trying to reference every user, even users from&nbsp; the Head Office to the WAN DC PAN agent.</SPAN></P><P class="MsoNormal"><SPAN>As such, a user who was earlier successfully logging&nbsp; on to the PAN agent in the Head Office,</SPAN></P><P class="MsoNormal"><SPAN>now&nbsp; is not able to browse, and it says its blocked,&nbsp; and within in the&nbsp; blocked page it mentions his local IP address as the 'user name'&nbsp; (Source) not the correct user name.</SPAN></P><P class="MsoNormal"></P><P class="MsoNormal"></P><P class="MsoNormal"><SPAN>admin@DP-PAFW01(active)&gt; show user pan-agent&nbsp; statistics</SPAN></P><P><SPAN>Timer: interval of group membership retrieval<BR />State: *:primary pan-agent&nbsp; to retrieve group membership<BR />----------------&nbsp; --------------- ----- -------&nbsp; ------------------ ------ ------&nbsp; -------- -------- -------- ---------------&nbsp; -----<BR />Name&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; IP&nbsp; Address&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Port&nbsp; Vsys&nbsp;&nbsp;&nbsp;&nbsp; State&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Users&nbsp; Grps&nbsp;&nbsp; IPs&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Activity Timer(s) Domain&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Index<BR />----------------&nbsp; --------------- ----- ------- ------------------&nbsp; ------ ------ --------&nbsp; -------- -------- ---------------&nbsp; -----<BR />PAN-Agent-01&nbsp;&nbsp;&nbsp;&nbsp; 10.0.2.20&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 7799&nbsp; vsys1&nbsp;&nbsp;&nbsp; connected,&nbsp; ok&nbsp;&nbsp;&nbsp;&nbsp; 0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 10091&nbsp;&nbsp;&nbsp; 58&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 600&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; dpf&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 1<BR />PAN-Agent-Ghu 10.12.111.14&nbsp;&nbsp;&nbsp; 7799&nbsp; vsys1&nbsp;&nbsp; *connected,&nbsp; ok&nbsp;&nbsp;&nbsp;&nbsp; 12660&nbsp; 443&nbsp;&nbsp;&nbsp; 59&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 67&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 600&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; dpf&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 2</SPAN></P><P></P><P class="MsoNormal"><SPAN>How can I make the PA-FW understand that the PAN Agent at the head office should&nbsp; be the</SPAN></P><P class="MsoNormal"><SPAN>primary pan-agent to retrieve group membership and not the&nbsp; newly installed WAN Site PAN.</SPAN></P><P class="MsoNormal"></P><P class="MsoNormal"><SPAN>Kindly comment with your inputs,</SPAN></P><P class="MsoNormal"></P><P class="MsoNormal"><SPAN>Rgds,</SPAN></P><P class="MsoNormal"></P><P class="MsoNormal"><SPAN>Tauseef<BR /></SPAN></P></BODY></HTML> Thu, 07 Apr 2011 05:41:58 GMT https://live.paloaltonetworks.com/t5/general-topics/pan-agent-over-wan-issue/m-p/46623#M34275 ta185020 2011-04-07T05:41:58Z https://live.paloaltonetworks.com/t5/general-topics/pan-agent-over-wan-issue/m-p/46624#M34276 <HTML><HEAD></HEAD><BODY><P>Well Ill just jump into this.</P><P></P><P>At this point in the product there is no means to prioritize which agent will be set as primary nor can we set an order of precedence on the DC's to give one a greater weight than others. This is however a feature request and is under investigation for future builds.</P><P></P><P></P><P>~Phil</P></BODY></HTML> Fri, 08 Apr 2011 17:24:17 GMT https://live.paloaltonetworks.com/t5/general-topics/pan-agent-over-wan-issue/m-p/46624#M34276 pkruse 2011-04-08T17:24:17Z