How to change pan-agent priority?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

How to change pan-agent priority?

L1 Bithead

sw-version: 3.1.12

Given the command below, how do I force server01 to be the primary pan-agent without any disruption?

> show user pan-agent statistics

Timer: interval of group membership retrieval
State: *:primary pan-agent to retrieve group membership
---------------- --------------- ----- ------- ------------------ ------ ------ -------- -------- -------- --------------- -----
Name             IP Address      Port  Vsys     State             Users  Grps   IPs      Activity Timer(s) Domain          Index
---------------- --------------- ----- ------- ------------------ ------ ------ -------- -------- -------- --------------- -----
server02          192.168.1.11    6667  vsys1   *connected, ok     716    508    61       104139   600      mydomain             0   
server01          192.168.1.10    6667  vsys1    connected, ok     0      0      48       103712   600      mydomain             1

1 accepted solution

Accepted Solutions

L3 Networker

On 3.1.12 code we do not have any options to fail over the agents and if you should, there should not be any disruptions if failing over to the other agent as they should be identical.

I would recommend a request for an enhancement request to get such a command.

In the earlier versions of Pan OS the priority is based off of when the devices were entered into the firewall.  However, in the new 5.0 version you can configure this with the custom agent sequence option.

This option allows you to define the sequence order in which the User-ID agent profiles will connect to the defined server. For example, if you have four agents identified in the sequence list, it will attempt to connect to the first agent listed, if that connection fails, it will connect to the next agent listed, and so on. If this option is not configured, the connection sequence will follow the order of the agents listed in the main page

View solution in original post

1 REPLY 1

L3 Networker

On 3.1.12 code we do not have any options to fail over the agents and if you should, there should not be any disruptions if failing over to the other agent as they should be identical.

I would recommend a request for an enhancement request to get such a command.

In the earlier versions of Pan OS the priority is based off of when the devices were entered into the firewall.  However, in the new 5.0 version you can configure this with the custom agent sequence option.

This option allows you to define the sequence order in which the User-ID agent profiles will connect to the defined server. For example, if you have four agents identified in the sequence list, it will attempt to connect to the first agent listed, if that connection fails, it will connect to the next agent listed, and so on. If this option is not configured, the connection sequence will follow the order of the agents listed in the main page

  • 1 accepted solution
  • 2315 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!