Is there a way in PanOS 6.1.x to manually map a user-id to an ip-address.
Or is there a way to set an IP-address to be exempt from the user-id mapping policy.
I have PA-500s being staged behind a generic firewall inside a production network with a PA-3000 on the perimeter. The PA-500s NAT their external connections via the generic firewall and cannot establish connection to the PA update server without connecting a laptop behind the generic fw and authenticating via the captive portal.
Solved! Go to Solution.
On the bottom of the User-ID setup screen you can enter exclude addresses that will be ignored for user-ID.
Thanks Steven. Just to confirm that if I follow this route, then I would need to explicitly define all networks to be user-id'd under the include action.
Yes, once you setup this section it is comprehensive on both exclude and include networks.
Or you can also add an exception policy for your PA500 ip address in the top of captive portal policies. Just need to configure action as "no-captive-portal"
from: PA500_IP -Trust
To: any -Untrust
you cand test the policy using the following command
test cp-policy-match from <value>|<any> to <value>|<any> source <ip/netmask> destination <ip/netmask>
Keep in mind that the Agents process the include / exclude networks list in a top-down fashion just like the firewalls do policy. What I did to keep from having to manually identify all of the networks I wanted to include, is I put all of my excludes at the top and then created 3 include entries to cover all of the RFC1918 addresses.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!