multiple Palo Alto Agent deployments

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

multiple Palo Alto Agent deployments

L2 Linker

Hello

We are having some complaints with the deployment of multiple Palo Alto Agents.

We have 3 remote sites in 1 DOMAIN which are connected with a slow vpn connection. Each remote site has his own Domain controller

Since we have a slow connection ,we made the choice to deploy an agent for each site. Each agent is only pointing to the local domain controller . The Palo Alto Device ( located at the main site ) is pointing to all agents.
the issue is that some user mappings are not recognized by the PA , but they are listed on the agent.

Question about this: We thought the Palo Alto is demanding all configured Agents for the same domain to resolve an ip-address to a username , but it seems like the Palo Alto device is only demanding the active agent ( * ) ( show user pan-agent statistics )

Is there anyone who can confirm this ?

If the Palo Alto agent will only demand the active agent , how can we workaround this issue ? ( if we define each DC's on the remote agents, we got to much traffic load on the vpn connections. )

Thanks !

3 REPLIES 3

L6 Presenter

The *connected Pan Agent server is the one that is being polled for user/group membership updates. The PAN firewall should be pulling user/ip mappings from all of the agents.

What version of PANOS are you running on the firewall?

Are you seeing that the activity columm for 'show user pan-agent statistics' is only updating for the *connected Pan Agent server?

-Benjamin

Hello,

we see updated information for every agent when we check with the cli ( every agent is connected and the right amount of users / groups is displayed every time ) , but if we enable the debug logs on the agents ,we never see an incoming connection from the Palo Alto , only on the active agent... We use 3.1.7...

If the activity column is incrementing for all Pan Agents (show user pan-agent statistics) but the Pan Agents do not show a connection from the PAN firewall in their logs then it sounds like something is not working properly. I would verify that the scenario you describe is true and if so I would advise you to open a support case.

-Benjamin

  • 2409 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!