- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
02-22-2011 08:07 AM
Hello
We are having some complaints with the deployment of multiple Palo Alto Agents.
We have 3 remote sites in 1 DOMAIN which are connected with a slow vpn connection. Each remote site has his own Domain controller
Since we have a slow connection ,we made the choice to deploy an agent for each site. Each agent is only pointing to the local domain controller . The Palo Alto Device ( located at the main site ) is pointing to all agents.
the issue is that some user mappings are not recognized by the PA , but they are listed on the agent.
Question about this: We thought the Palo Alto is demanding all configured Agents for the same domain to resolve an ip-address to a username , but it seems like the Palo Alto device is only demanding the active agent ( * ) ( show user pan-agent statistics )
Is there anyone who can confirm this ?
If the Palo Alto agent will only demand the active agent , how can we workaround this issue ? ( if we define each DC's on the remote agents, we got to much traffic load on the vpn connections. )
Thanks !
02-22-2011 08:12 AM
The *connected Pan Agent server is the one that is being polled for user/group membership updates. The PAN firewall should be pulling user/ip mappings from all of the agents.
What version of PANOS are you running on the firewall?
Are you seeing that the activity columm for 'show user pan-agent statistics' is only updating for the *connected Pan Agent server?
-Benjamin
02-22-2011 08:17 AM
Hello,
we see updated information for every agent when we check with the cli ( every agent is connected and the right amount of users / groups is displayed every time ) , but if we enable the debug logs on the agents ,we never see an incoming connection from the Palo Alto , only on the active agent... We use 3.1.7...
02-22-2011 08:26 AM
If the activity column is incrementing for all Pan Agents (show user pan-agent statistics) but the Pan Agents do not show a connection from the PAN firewall in their logs then it sounds like something is not working properly. I would verify that the scenario you describe is true and if so I would advise you to open a support case.
-Benjamin
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!