Accessing the User-ID agent or AD on a different interface?
byreaper05-12-201707:10 AM - edited 05-15-201709:11 AM
In many network environments, it's good practice to create an Out Of Band network where the management interfaces of your security appliances and services live so they cannot be compromised by a user with a lot of spare time to try and guess passwords.
This can sometimes create interesting challenges, as your appliances may need to access resources that are not available on the secured network. One example is Palo Alto Networks' integrated User Identification mechanisms, where either the firewall reads security audit logs on an Active Directory server, or the server gets an agent software installed that does the reading and sends the output back to the firewall. If the AD server is not connected to the secured network, a different route needs to be taken to get the information on the firewall.
To assist in this sort of issue, a service route can be configured that redirects connections originating from the management plane, via the backplane, to the dataplane. This will force the outgoing connection to egress from a normal network interface without exposing the management interface (pretty cool, huh?).
To configure a service route:
Navigate to the Device tab on your firewall, and in the
Open the Setup section
Go to 'Services'
Find the 'Service Route Configuration' link
Switch to 'Customize'
Scroll down to 'UID Agent' and
Select the new source interface and IP address for these connections
This will work for both the installed UID agent software and the clientless configuration on the firewall.
UserID agent and clientless service route configuration