Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
09-27-2024 04:25 PM
Hello,
I'm currently working through the Certificate Advisory. We currently have firewalls running 10.1.11, user-ID agent is 10.1.1-102. Started an upgraded firewalls to current preferred version of 10.1.13h1. The issue I have is I am simultaneously trying to introduce PA-1410 firewalls into Panorama for management. PA-1410 does not support 10.x
The advisory states that firewalls must be upgraded with hotfix before upgrading the UserID agent. Per the advisory:
"Install the hotfix listed in Table 2 below on all NGFWs and Panoramas. It is important to perform this step before updating the agents; these two steps must be performed in sequence"
This creates a challenge, as to my knowledge, UserID agent 10.1.x will not work on firewalls running 11.x. 11.x is my only option for the 1410's and I need to deploy these firewalls well before the other firewalls will be finished upgrading.
What's the best way to go about this? Only thing I can think of is introduce the 1410's without using userID agent temporarily and use agentless server monitor instead. Anyone have another idea?
Also, the latest userID agent is listed as 11.0.1-104, does this work with PAN-OS 11.1 and 11.2? Documentation states it works on 11.0 and earlier.
10-01-2024 05:27 PM
Simple solution that adds a bit of complexity, but why don't you just spin up another agent with 11.0.1 and only use it for the PA-1410s? I imagine that there's a reason that you aren't using agentless to begin with, so that would keep the benefits of running the agent in this instance. Either option is viable assuming that you can use the agentless setup.
10-01-2024 12:11 PM
Hi @securehops ,
I've shared your post with the Advisory team.
10-01-2024 05:27 PM
Simple solution that adds a bit of complexity, but why don't you just spin up another agent with 11.0.1 and only use it for the PA-1410s? I imagine that there's a reason that you aren't using agentless to begin with, so that would keep the benefits of running the agent in this instance. Either option is viable assuming that you can use the agentless setup.
10-01-2024 06:10 PM
Hi @BPry
I did consider setting up a new server for UserID agent as a backup option but since it's only temporary, I was thinking agentless would be the easier way to go
I always used agentless but it kept triggering a lot of alerts and at the time, the solution from tac was to just use the UserID agent
The also couldn't get clarity from support if the 11.0 userID agent is compatible with pan-os 11.1 and 11.2. Release notes says it's compatible with 11.0 and earlier
10-04-2024 01:05 AM
PAN-OS is backwards compatible with userID versions, so PAN-OS 11.x can work with UserID 10.x
no need for any duplication
reaper@fwl-be(active)> show system info | match sw-version
sw-version: 11.1.4-h1
reaper@fwl-be(active)> show system info | match model
model: PA-1420
reaper@fwl-be(active)> show user user-id-agent config all | match Product
Product Version: 10.1.0
Product Version: 10.1.0
reaper@fwl-be(active)> show user user-id-agent state all | match Status
Status : conn:idle
Status : conn:idle
reapern@fwl-be(active)> show user ip-user-mapping all
IP Vsys From User IdleTimeout(s) MaxTimeout(s)
--------------------------------------------- ------------------- ------- -------------------------------- -------------- -------------
10.10.10.5 vsys1 UIA pangurus\reaper 6861 6861
10-15-2024 08:13 AM
Thanks @reaper
Since I was in a time crunch, I set up a new server temporarily.
This is good to know for future, but documentation states differently. Palo needs to do a better job on this
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
