https://live.paloaltonetworks.com/t5/general-topics/user-id-management-setting/m-p/5819#M4252 <HTML><HEAD></HEAD><BODY><P><A name="1519783">That</A><SPAN style="font-weight: bold;"> </SPAN>option is needed to allow communication between firewalls when a firewall is acting as a redistribution point to provide user mapping information to other PAN-OS firewalls.Also it is available for management profile.You can distribute user id information as a new feature on panos 5</P></BODY></HTML> Thu, 23 May 2013 18:38:25 GMT Retired Member 2013-05-23T18:38:25Z https://live.paloaltonetworks.com/t5/general-topics/user-id-management-setting/m-p/5818#M4251 <HTML><HEAD></HEAD><BODY><P>In the device management settings there is now a "User-ID" checkbox.&nbsp; I have looked at the administrators guide but it doesn't mention it, presumably because it is fairly new.</P><P></P><P>What does this actually control, because the user-id agent on the box works fine without that checked (or seems to).&nbsp; Other options such as SSH, ping etc are obviously management access protocols but user-id doesn't seem to fit in quite the same.</P></BODY></HTML> Thu, 23 May 2013 16:43:48 GMT https://live.paloaltonetworks.com/t5/general-topics/user-id-management-setting/m-p/5818#M4251 djr 2013-05-23T16:43:48Z https://live.paloaltonetworks.com/t5/general-topics/user-id-management-setting/m-p/5819#M4252 <HTML><HEAD></HEAD><BODY><P><A name="1519783">That</A><SPAN style="font-weight: bold;"> </SPAN>option is needed to allow communication between firewalls when a firewall is acting as a redistribution point to provide user mapping information to other PAN-OS firewalls.Also it is available for management profile.You can distribute user id information as a new feature on panos 5</P></BODY></HTML> Thu, 23 May 2013 18:38:25 GMT https://live.paloaltonetworks.com/t5/general-topics/user-id-management-setting/m-p/5819#M4252 Retired Member 2013-05-23T18:38:25Z https://live.paloaltonetworks.com/t5/general-topics/user-id-management-setting/m-p/5820#M4253 <HTML><HEAD></HEAD><BODY><P>The userid option is introduced in 5.0 and need to be enabled when you are using the agentless user id and also when distributing the mappings to other firewalls</P></BODY></HTML> Thu, 23 May 2013 21:42:51 GMT https://live.paloaltonetworks.com/t5/general-topics/user-id-management-setting/m-p/5820#M4253 zarina 2013-05-23T21:42:51Z https://live.paloaltonetworks.com/t5/general-topics/user-id-management-setting/m-p/5821#M4254 <HTML><HEAD></HEAD><BODY><P>Sorry to be obtuse, but I still don't get this.</P><P></P><P>I had agentless user-id turned on and working with my 5 DCs without this turned on, so it doesn't *appear* to prevent that working.</P><P></P><P>If it controls redistribution of the user-id information I can see why I wouldn't have noticed that, but does that then mean that I need the management addresses of the to firewalls to be included in the "permitted addresses" as well?</P><P></P><P>Thanks</P></BODY></HTML> Fri, 24 May 2013 08:05:15 GMT https://live.paloaltonetworks.com/t5/general-topics/user-id-management-setting/m-p/5821#M4254 djr 2013-05-24T08:05:15Z https://live.paloaltonetworks.com/t5/general-topics/user-id-management-setting/m-p/5822#M4255 <HTML><HEAD></HEAD><BODY><P>The checkbox allows that specific firewall to be the agent for other firewalls. It gives you a central user-ID agent that several firewalls can use without having to deploy software agents or set up the agentless configuration on every firewall. </P><P></P><P>Hope this helps,</P><P>Greg </P></BODY></HTML> Fri, 24 May 2013 16:33:47 GMT https://live.paloaltonetworks.com/t5/general-topics/user-id-management-setting/m-p/5822#M4255 gwesson 2013-05-24T16:33:47Z https://live.paloaltonetworks.com/t5/general-topics/user-id-management-setting/m-p/5823#M4256 <HTML><HEAD></HEAD><BODY><P>Not really, two specific questions then:</P><P></P><P>1) Is it needed to permit an XML API connection from an external server</P><P>2) Is it needed to replicate user ID data to the HA peer?</P><P>2a) If the answer to 2 is "yes", then does the peer firewall need to be in the permitted IPs list?</P></BODY></HTML> Fri, 24 May 2013 16:45:15 GMT https://live.paloaltonetworks.com/t5/general-topics/user-id-management-setting/m-p/5823#M4256 djr 2013-05-24T16:45:15Z