This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

UIA / PAN Agent to Firewall Communication

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

UIA / PAN Agent to Firewall Communication

slechatton
Not applicable

‎04-25-2010 01:37 PM

Hello,

Looking at the User Identification with PAN-OS 2.1 Tech Note rev00E 03/09, I can read :

"The User Identification Agent must have IP connectivity to the firewall management interface.
This is true even if the firewall is managed by an inline, Layer 3 interface on the firewall. All
Agent communication to the firewall is sent and received through the firewall management
interface. It is not possible to use an inline Layer 3 interface for this function in PAN-OS 2.1."

Is it always true in the 3.0 or 3.1 version ?

I manage several isolated AD domains. These domains should have NO access to the Management network, so no access to the management interface.

If in a new version, it could be possible to establish this connectivity between the PA and the UIA on a L3 Interface (configured with a correct management profile),

- which permitted services should be enabled on the L3 interface ?
- On the PA Device User Identication configuration page, How to specify the interface used to join the UIA ? (only IP/port are possible to specify)... My problem is that several domains could have overlaped subnets. Not a problem with dedicated Interface / Virtual Router, but to join the UIA... which L3 to use... ?

Thanks - Sylvain.

0 Likes Likes
2 REPLIES 2

vinesh
L2 Linker

‎04-26-2010 03:26 AM

Sylvain,

Have you tried configuring the Service Route under the Device Tab and change the interface to the L3 on which you want to communicated with UIA?

slechatton
Not applicable
In response to vinesh

‎04-26-2010 10:36 AM

Vinesh,

Thanks for you help, it's usefull to redirect a service to an interface, but

- which service is used to connect to UIA ?

- if the subnets are overlapped, how to specify the destinations ?

Thanks - Sylvain

0 Likes Likes
  • 2385 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks