Looking at the User Identification with PAN-OS 2.1 Tech Note rev00E 03/09, I can read :
"The User Identification Agent must have IP connectivity to the firewall management interface.
This is true even if the firewall is managed by an inline, Layer 3 interface on the firewall. All
Agent communication to the firewall is sent and received through the firewall management
interface. It is not possible to use an inline Layer 3 interface for this function in PAN-OS 2.1."
Is it always true in the 3.0 or 3.1 version ?
I manage several isolated AD domains. These domains should have NO access to the Management network, so no access to the management interface.
If in a new version, it could be possible to establish this connectivity between the PA and the UIA on a L3 Interface (configured with a correct management profile),
- which permitted services should be enabled on the L3 interface ?
- On the PA Device User Identication configuration page, How to specify the interface used to join the UIA ? (only IP/port are possible to specify)... My problem is that several domains could have overlaped subnets. Not a problem with dedicated Interface / Virtual Router, but to join the UIA... which L3 to use... ?
Thanks - Sylvain.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!