- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
01-28-2013 10:19 AM
sw-version: 3.1.12
Given the command below, how do I force server01 to be the primary pan-agent without any disruption?
> show user pan-agent statistics
Timer: interval of group membership retrieval
State: *:primary pan-agent to retrieve group membership
---------------- --------------- ----- ------- ------------------ ------ ------ -------- -------- -------- --------------- -----
Name IP Address Port Vsys State Users Grps IPs Activity Timer(s) Domain Index
---------------- --------------- ----- ------- ------------------ ------ ------ -------- -------- -------- --------------- -----
server02 192.168.1.11 6667 vsys1 *connected, ok 716 508 61 104139 600 mydomain 0
server01 192.168.1.10 6667 vsys1 connected, ok 0 0 48 103712 600 mydomain 1
01-29-2013 01:58 PM
On 3.1.12 code we do not have any options to fail over the agents and if you should, there should not be any disruptions if failing over to the other agent as they should be identical.
I would recommend a request for an enhancement request to get such a command.
In the earlier versions of Pan OS the priority is based off of when the devices were entered into the firewall. However, in the new 5.0 version you can configure this with the custom agent sequence option.
This option allows you to define the sequence order in which the User-ID agent profiles will connect to the defined server. For example, if you have four agents identified in the sequence list, it will attempt to connect to the first agent listed, if that connection fails, it will connect to the next agent listed, and so on. If this option is not configured, the connection sequence will follow the order of the agents listed in the main page
01-29-2013 01:58 PM
On 3.1.12 code we do not have any options to fail over the agents and if you should, there should not be any disruptions if failing over to the other agent as they should be identical.
I would recommend a request for an enhancement request to get such a command.
In the earlier versions of Pan OS the priority is based off of when the devices were entered into the firewall. However, in the new 5.0 version you can configure this with the custom agent sequence option.
This option allows you to define the sequence order in which the User-ID agent profiles will connect to the defined server. For example, if you have four agents identified in the sequence list, it will attempt to connect to the first agent listed, if that connection fails, it will connect to the next agent listed, and so on. If this option is not configured, the connection sequence will follow the order of the agents listed in the main page
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!