Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

UserID Agent version compatbility

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

UserID Agent version compatbility

L3 Networker

Hello,

 

I'm currently working through the Certificate Advisory.  We currently have firewalls running 10.1.11, user-ID agent is 10.1.1-102.   Started an upgraded firewalls  to current preferred version of 10.1.13h1.  The issue I have is I am simultaneously trying to introduce PA-1410 firewalls into Panorama for management.  PA-1410 does not support 10.x

 

The advisory states that firewalls must be upgraded with hotfix before upgrading the UserID agent.  Per the advisory:
"Install the hotfix listed in Table 2 below on all NGFWs and Panoramas. It is important to perform this step before updating the agents; these two steps must be performed in sequence"

 

This creates a challenge, as to my knowledge,  UserID agent 10.1.x will not work on firewalls running 11.x.  11.x is my only option for the 1410's and I need to deploy these firewalls well before the other firewalls will be finished upgrading.

 

What's the best way to go about this?   Only thing I can think of is introduce the 1410's without using userID agent temporarily and use agentless server monitor instead.   Anyone have another idea?

 

Also, the latest userID agent is listed as 11.0.1-104,  does this work with PAN-OS 11.1 and 11.2?  Documentation states it works on 11.0 and earlier.  

1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite

@securehops,

Simple solution that adds a bit of complexity, but why don't you just spin up another agent with 11.0.1 and only use it for the PA-1410s? I imagine that there's a reason that you aren't using agentless to begin with, so that would keep the benefits of running the agent in this instance. Either option is viable assuming that you can use the agentless setup. 

View solution in original post

5 REPLIES 5

Community Team Member

Hi @securehops ,

 

I've shared your post with the Advisory team.

LIVEcommunity team member
Stay Secure,
Jay
Don't forget to Like items if a post is helpful to you!

Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

Cyber Elite
Cyber Elite

@securehops,

Simple solution that adds a bit of complexity, but why don't you just spin up another agent with 11.0.1 and only use it for the PA-1410s? I imagine that there's a reason that you aren't using agentless to begin with, so that would keep the benefits of running the agent in this instance. Either option is viable assuming that you can use the agentless setup. 

Hi @BPry 

I did consider setting up a new server for UserID agent as a backup option but since it's only temporary, I was thinking agentless would be the easier way to go

 

I always used agentless but it kept triggering a lot of alerts and at the time, the solution from tac was to just use the UserID agent

 

The also couldn't get clarity from support if the 11.0 userID agent is compatible with pan-os 11.1 and 11.2.  Release notes says it's compatible with 11.0 and earlier

 

Cyber Elite
Cyber Elite

PAN-OS is backwards compatible with userID versions, so PAN-OS 11.x can work with UserID 10.x

no need for any duplication

 

 

reaper@fwl-be(active)> show system info | match sw-version
sw-version: 11.1.4-h1
reaper@fwl-be(active)> show system info | match model
model: PA-1420
reaper@fwl-be(active)> show user user-id-agent config all | match Product
Product Version: 10.1.0
Product Version: 10.1.0
reaper@fwl-be(active)> show user user-id-agent state all | match Status
        Status                                            : conn:idle
        Status                                            : conn:idle
reapern@fwl-be(active)> show user ip-user-mapping all

IP                                            Vsys                From    User                             IdleTimeout(s) MaxTimeout(s)
--------------------------------------------- ------------------- ------- -------------------------------- -------------- -------------
10.10.10.5                                  vsys1               UIA     pangurus\reaper                   6861           6861
Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Thanks @reaper 

 

Since I was in a time crunch, I set up a new server temporarily.  

 

This is good to know for future, but documentation states differently.  Palo needs to do a better job on this

  • 1 accepted solution
  • 865 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!