PAN agent over WAN issue

Showing results for 
Search instead for 
Did you mean: 

PAN agent over WAN issue

Not applicable


Just had another issue to discuss about WAN Pan Agent, if you do have time, please go through.

Local LAN PAN agent is configured for network

WAN PAN agent is configured for site 1 network 10.12.111.x/24

But I have users from Site to with network 10.13.111.x/24 as well logging on to the same DC of site 1.

I think its some AD issue, though site 2 has its own DC, some users of that site log on to site 1.

And so on, some users of site 3 also do the same, and more over, there are users from the local LAN

who some times log on to the WAN DC's !!

How do I configure the pan agent to work in such an environment.

I have had issues when I configured the local PAN Agent and remote PAN Agent with same allowed list of IP's

I have had issues

with PA-FW trying to reference every user, even users from  the Head Office to the WAN DC PAN agent.

As such, a user who was earlier successfully logging  on to the PAN agent in the Head Office,

now  is not able to browse, and it says its blocked,  and within in the  blocked page it mentions his local IP address as the 'user name'  (Source) not the correct user name.

admin@DP-PAFW01(active)> show user pan-agent  statistics

Timer: interval of group membership retrieval
State: *:primary pan-agent  to retrieve group membership
----------------  --------------- ----- -------  ------------------ ------ ------  -------- -------- -------- ---------------  -----
Name             IP  Address      Port  Vsys     State              Users  Grps   IPs       Activity Timer(s) Domain           Index
----------------  --------------- ----- ------- ------------------  ------ ------ --------  -------- -------- ---------------  -----
PAN-Agent-01       7799  vsys1    connected,  ok     0      0      10091    58       600      dpf              1
PAN-Agent-Ghu    7799  vsys1   *connected,  ok     12660  443    59       67       600      dpf             2

How can I make the PA-FW understand that the PAN Agent at the head office should  be the

primary pan-agent to retrieve group membership and not the  newly installed WAN Site PAN.

Kindly comment with your inputs,




L4 Transporter

Well Ill just jump into this.

At this point in the product there is no means to prioritize which agent will be set as primary nor can we set an order of precedence on the DC's to give one a greater weight than others. This is however a feature request and is under investigation for future builds.


Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!