- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
04-25-2010 01:37 PM
Hello,
Looking at the User Identification with PAN-OS 2.1 Tech Note rev00E 03/09, I can read :
"The User Identification Agent must have IP connectivity to the firewall management interface.
This is true even if the firewall is managed by an inline, Layer 3 interface on the firewall. All
Agent communication to the firewall is sent and received through the firewall management
interface. It is not possible to use an inline Layer 3 interface for this function in PAN-OS 2.1."
Is it always true in the 3.0 or 3.1 version ?
I manage several isolated AD domains. These domains should have NO access to the Management network, so no access to the management interface.
If in a new version, it could be possible to establish this connectivity between the PA and the UIA on a L3 Interface (configured with a correct management profile),
- which permitted services should be enabled on the L3 interface ?
- On the PA Device User Identication configuration page, How to specify the interface used to join the UIA ? (only IP/port are possible to specify)... My problem is that several domains could have overlaped subnets. Not a problem with dedicated Interface / Virtual Router, but to join the UIA... which L3 to use... ?
Thanks - Sylvain.
04-26-2010 03:26 AM
Sylvain,
Have you tried configuring the Service Route under the Device Tab and change the interface to the L3 on which you want to communicated with UIA?
04-26-2010 10:36 AM
Vinesh,
Thanks for you help, it's usefull to redirect a service to an interface, but
- which service is used to connect to UIA ?
- if the subnets are overlapped, how to specify the destinations ?
Thanks - Sylvain
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!