Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Static user-id to IP-address mapping

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Static user-id to IP-address mapping

L0 Member

Hi All,

Is there a way in PanOS 6.1.x to manually map  a user-id to an ip-address.

Or is there a way to set an IP-address to be exempt from the user-id mapping policy.

I have PA-500s being staged behind a generic firewall inside a production network with a PA-3000 on the perimeter. The PA-500s NAT their external connections via the generic firewall and cannot establish connection to the PA update server without connecting a laptop behind the generic fw and authenticating via the captive portal.

Regards,

Charles

1 accepted solution

Accepted Solutions

L4 Transporter

Or you can also add an exception policy for your PA500 ip address in the top of captive portal policies. Just need to configure action as "no-captive-portal"

from: PA500_IP -Trust

To: any -Untrust

Actions: no-captive-portal

you cand test the policy using the following command

test cp-policy-match from <value>|<any> to <value>|<any> source <ip/netmask> destination <ip/netmask>

Regards,

G

View solution in original post

5 REPLIES 5

L7 Applicator

On the bottom of the User-ID setup screen you can enter exclude addresses that will be ignored for user-ID.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

Thanks Steven. Just to confirm that if I follow this route, then I would need to explicitly define all networks to be user-id'd under the include action.

How the User-ID Agent Include/Exclude List Works

Yes, once you setup this section it is comprehensive on both exclude and include networks.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

L4 Transporter

Or you can also add an exception policy for your PA500 ip address in the top of captive portal policies. Just need to configure action as "no-captive-portal"

from: PA500_IP -Trust

To: any -Untrust

Actions: no-captive-portal

you cand test the policy using the following command

test cp-policy-match from <value>|<any> to <value>|<any> source <ip/netmask> destination <ip/netmask>

Regards,

G

L3 Networker

Keep in mind that the Agents process the include / exclude networks list in a top-down fashion just like the firewalls do policy.  What I did to keep from having to manually identify all of the networks I wanted to include, is I put all of my excludes at the top and then created 3 include entries to cover all of the RFC1918 addresses.

  • 1 accepted solution
  • 5998 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!