Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

userid in multiple VSYS environment

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

userid in multiple VSYS environment

L3 Networker

Hello,

 

We are using PA cluster in multiple VSYS environment. We would like to be able to configure user / group based policies across all the VSYS by sharing userid mapping table with all the VSYS (the user identification baseline is the same for all the VSYS).

 

Is there a quick method to achieve this or do we have to configure (same) userid settings in each VSYS ?

 

Laurent

1 accepted solution

Accepted Solutions

L5 Sessionator

As far as I know, and how I've always done it, you'll need to configure in each vsys. Because each vsys is meant to be a separate firewall, this design makes sense.

I think the quickest way to configure this is by using the CLI. If the settings are all the same, you'll just need to edit the vsys number and paste it in.

 

View solution in original post

4 REPLIES 4

L5 Sessionator

As far as I know, and how I've always done it, you'll need to configure in each vsys. Because each vsys is meant to be a separate firewall, this design makes sense.

I think the quickest way to configure this is by using the CLI. If the settings are all the same, you'll just need to edit the vsys number and paste it in.

 

Cyber Elite
Cyber Elite

@Laurent_Dormond,

This isn't one of the attributes that you can stick in <shared/> unfortunately; due in large part as @rmfalconer mentioned already. I however do believe that there is a feature request kicking around to have this feature added into PAN-OS if you want to reach out to your SE so they can add your vote to that FR or create a new FR if my memory is wrong. 

Hello guys,

 

Many thanks for your answers. Of course it makes sense that userid mapping table should not be shared across multiple VSYS by default, I was just thinking about something like a "hidden" command to make it that way.

However it's not a major need for me, it would be a "nice to have", also I will configure userid for each VSYS.

What you can do is setup one of your vsys to do server monitoring of all AD controllers, and then distribute the info from that vsys to the others as a User-ID Collector.

  • 1 accepted solution
  • 3493 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!