- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
04-06-2011 10:41 PM
Hi,
Just had another issue to discuss about WAN Pan Agent, if you do have time, please go through.
Local LAN PAN agent is configured for 10.0.0.0/8 network
WAN PAN agent is configured for site 1 network 10.12.111.x/24
But I have users from Site to with network 10.13.111.x/24 as well logging on to the same DC of site 1.
I think its some AD issue, though site 2 has its own DC, some users of that site log on to site 1.
And so on, some users of site 3 also do the same, and more over, there are users from the local LAN
who some times log on to the WAN DC's !!
How do I configure the pan agent to work in such an environment.
I have had issues when I configured the local PAN Agent and remote PAN Agent with same allowed list of IP's 10.0.0.0/8.
I have had issues
with PA-FW trying to reference every user, even users from the Head Office to the WAN DC PAN agent.
As such, a user who was earlier successfully logging on to the PAN agent in the Head Office,
now is not able to browse, and it says its blocked, and within in the blocked page it mentions his local IP address as the 'user name' (Source) not the correct user name.
admin@DP-PAFW01(active)> show user pan-agent statistics
Timer: interval of group membership retrieval
State: *:primary pan-agent to retrieve group membership
---------------- --------------- ----- ------- ------------------ ------ ------ -------- -------- -------- --------------- -----
Name IP Address Port Vsys State Users Grps IPs Activity Timer(s) Domain Index
---------------- --------------- ----- ------- ------------------ ------ ------ -------- -------- -------- --------------- -----
PAN-Agent-01 10.0.2.20 7799 vsys1 connected, ok 0 0 10091 58 600 dpf 1
PAN-Agent-Ghu 10.12.111.14 7799 vsys1 *connected, ok 12660 443 59 67 600 dpf 2
How can I make the PA-FW understand that the PAN Agent at the head office should be the
primary pan-agent to retrieve group membership and not the newly installed WAN Site PAN.
Kindly comment with your inputs,
Rgds,
Tauseef
04-08-2011 10:24 AM
Well Ill just jump into this.
At this point in the product there is no means to prioritize which agent will be set as primary nor can we set an order of precedence on the DC's to give one a greater weight than others. This is however a feature request and is under investigation for future builds.
~Phil
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!