Community Blog

Accessing the User-ID agent or AD on a different interface?

by Community Manager ‎05-12-2017 07:10 AM - edited ‎05-15-2017 09:11 AM (6,100 Views)

In many network environments, it's good practice to create an Out Of Band network where the management interfaces of your security appliances and services live so they cannot be compromised by a user with a lot of spare time to try and guess passwords.

 

This can sometimes create interesting challenges, as your appliances may need to access resources that are not available on the secured network. One example is Palo Alto Networks' integrated User Identification mechanisms, where either the firewall reads security audit logs on an Active Directory server, or the server gets an agent software installed that does the reading and sends the output back to the firewall. If the AD server is not connected to the secured network, a different route needs to be taken to get the information on the firewall.

 

To assist in this sort of issue, a service route can be configured that redirects connections originating from the management plane, via the backplane, to the dataplane. This will force the outgoing connection to egress from a normal network interface without exposing the management interface (pretty cool, huh?).

 

To configure a service route:

  1. Navigate to the Device tab on your firewall, and in the
  2. Open the Setup section
  3. Go to 'Services'
  4. Find the 'Service Route Configuration' link
  5. Switch to 'Customize'
  6. Scroll down to 'UID Agent' and
  7. Select the new source interface and IP address for these connections

This will work for both the installed UID agent software and the clientless configuration on the firewall.

 

UserID agent and agentless service route .pngUserID agent and clientless service route configuration

 

 

if you would like to know more about service routes, please take a look at this article: Setting a Service Route for Services to Use a Dataplane Interface from the Web UI and CLI

 

Hope you learned a new thing today!

 

Please feel free to leave a comment or ask questions in the comment section below

 

Reaper out!

Ask Questions Get Answers Join the Live Community
Labels