I have a new PA500 (running 4.0.4) that I've set up and am now trying to tie to Active Directory in order to create user-based policies. I have everything configured to my knowledge, but I'm not getting any user-IP mappings on the firewall.
I installed what I believe to be the latest AD agent, 3.1.2 (filename PanAgent-3.1.2.msi), on my server and configured it as follows (using made-up IP addresses and domains for this example):
Domain Name: mydomain.com
Port Number: 31200
Domain Controller Address: 220.127.116.11
Allow List: 18.104.22.168/24
Filter Group: mydomain\users
I am able to successfully view the user-ip mappings and groups through the configuration program.
I have also configured the agent settings on the PA500 as follows:
Agent Type: userid-agent
IP Address: 22.214.171.124
Furthermore, I've enabled the agent on the trusted zone through the following settings:
Enable User Identification: Yes
Include List: addr-localnet (126.96.36.199/24)
I believe that this is all I have to do to get the user-IP mappings to work but I am not seeing any such mappings on the firewall. If I consult the PA500's logs I find:
UserID connected to agent userid-AD(188.8.131.52) version 3, initiated by 184.108.40.206
Pan-Agent connected: IP 220.127.116.11 port 31200, initiated by 18.104.22.168
However, if I consult the agent's logs on the server I find it filled with the following error:
New Connection(22.214.171.124:<port>) Socket(<socket>)
SSL read error in pan_host_agent_rcv_data -2-16-0
Connection(1) is closed!
If I run show user userid-agent statistics on the CLI I get an output like follows:
Server: userid-AD(vsys: vsys1) Address: 126.96.36.199:31200
Connection : Not Connected
Version : <Unknown>
number of connection tried : 5295
number of connection succeeded : 5224
number of connection failed : 71
number of user ip mapping messages received : 0
number of user ip mapping add entries received : 0
number of user ip mapping del entries received : 0
number of ip msgs rcvd but failed to process : 0
number of status messages received : 0
number of request of ip mapping messages sent : 0
number of request of all ip mapping messages sent : 0
number of request of status messages sent : 0
I'm at a loss here and hope that this is enough information for somebody to help me out. Does anybody have any ideas on why my mappings aren't working? I don't know whether this is applicable at all, but my Web GUI gives me a certificate error when I attempt to access it.
Thanks for any help you can provide.
Solved! Go to Solution.
Agent type on the PAN configuration should be pan agent as opposed to userid-agent. Change it and commit and you should see the PAN communicate successfully. Userid-agent is for eDir whereas pan-agent is for AD environment.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!