Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

adding more than one UIA agent on firewall?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

adding more than one UIA agent on firewall?

L2 Linker

Hi Techies,

 

I have a small doubt whether I can add more than one UIA server in my firewall in the sense that they should behave kind of active passive .

 

Requirement is something like that I want to secure user id functionality on firewall so that if one of my UIA gets down , then firewall should contact other UIA server for that....

 

Let me know if we have any solution for it ...

2 accepted solutions

Accepted Solutions

Hello,

Your concerns are very valid. It monitors and ingests the information from both agents at the same time on an interval. I belevie it uses timestamps from the windows event logs to resolve conflicts, i.e. one IP has two names. 

 

https://live.paloaltonetworks.com/t5/Configuration-Articles/User-ID-Agent-Setup-Tips/ta-p/54755

 

Hope that helps.

View solution in original post

The UIA reads the windows event logs continuously to provide the most current User-IP mappings to the firewall. The firewall then talks to both UIAs and always uses the most current timestamp for an IP. So lets assume the following:

UIA1: domain\johndoe 20180531-06:10:34 10.10.10.10

UIA2: domain\johndoe 20180531-07:23:26 10.10.10.10

 

In this case the firewall would have received the mapping first from UIA1. As soon as the new mapping is present on UIA2 the firewall updates it's user-ip-mapping table with the new event from UIA2.

View solution in original post

6 REPLIES 6

Cyber Elite
Cyber Elite

Hello,

Yes you can have the PAN monitor more than one user-id agent. I have two just to keep things simple and redundant, I have a small environment.

 

https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/user-id/map-ip-addresses-to-users/co...

 

Hope that helps.

 

Regards,

oh thats great if you are using it already !

 

But I have one doubt , whether panos reads those both servers in sequence ( kind of active -passive style) or it monitors both simulatenously ?

Also, if it monitors both at the same time then isn't it it creates problem  ? because it is reading logs from both UIA, so whose result it will give to firewall ?? UIA1 or 2 ?

sorry if it sounds silly but i need clarity before implementing..

 

thanks

Hello,

Your concerns are very valid. It monitors and ingests the information from both agents at the same time on an interval. I belevie it uses timestamps from the windows event logs to resolve conflicts, i.e. one IP has two names. 

 

https://live.paloaltonetworks.com/t5/Configuration-Articles/User-ID-Agent-Setup-Tips/ta-p/54755

 

Hope that helps.

Hey thanks man for the solution....

So , i just need to add just one more UIA under device>user identification> user id agent and thats it right ??

 

In that way , I would be seein two servers connected ( green) and my firewall will talk to two servers at the same time and if there is any conflict, it would read windows event logs.....to cross verif and send results  ...right ?

The UIA reads the windows event logs continuously to provide the most current User-IP mappings to the firewall. The firewall then talks to both UIAs and always uses the most current timestamp for an IP. So lets assume the following:

UIA1: domain\johndoe 20180531-06:10:34 10.10.10.10

UIA2: domain\johndoe 20180531-07:23:26 10.10.10.10

 

In this case the firewall would have received the mapping first from UIA1. As soon as the new mapping is present on UIA2 the firewall updates it's user-ip-mapping table with the new event from UIA2.

Thanks man...i got it now...

  • 2 accepted solutions
  • 4107 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!