Static user-id to IP-address mapping

Reply
Highlighted
L0 Member

Static user-id to IP-address mapping

Hi All,

Is there a way in PanOS 6.1.x to manually map  a user-id to an ip-address.

Or is there a way to set an IP-address to be exempt from the user-id mapping policy.

I have PA-500s being staged behind a generic firewall inside a production network with a PA-3000 on the perimeter. The PA-500s NAT their external connections via the generic firewall and cannot establish connection to the PA update server without connecting a laptop behind the generic fw and authenticating via the captive portal.

Regards,

Charles

Tags (1)
L7 Applicator

Re: Static user-id to IP-address mapping

On the bottom of the User-ID setup screen you can enter exclude addresses that will be ignored for user-ID.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center
L0 Member

Re: Static user-id to IP-address mapping

Thanks Steven. Just to confirm that if I follow this route, then I would need to explicitly define all networks to be user-id'd under the include action.

How the User-ID Agent Include/Exclude List Works

L7 Applicator

Re: Static user-id to IP-address mapping

Yes, once you setup this section it is comprehensive on both exclude and include networks.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center
L4 Transporter

Re: Static user-id to IP-address mapping

Or you can also add an exception policy for your PA500 ip address in the top of captive portal policies. Just need to configure action as "no-captive-portal"

from: PA500_IP -Trust

To: any -Untrust

Actions: no-captive-portal

you cand test the policy using the following command

test cp-policy-match from <value>|<any> to <value>|<any> source <ip/netmask> destination <ip/netmask>

Regards,

G

L3 Networker

Re: Static user-id to IP-address mapping

Keep in mind that the Agents process the include / exclude networks list in a top-down fashion just like the firewalls do policy.  What I did to keep from having to manually identify all of the networks I wanted to include, is I put all of my excludes at the top and then created 3 include entries to cover all of the RFC1918 addresses.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!