About torm

User-ID agent only supports one domain pr. agent. So if you have 2 different domains, you should run the agent on 2 different windows servers and monitor 1 domain pr agent. Then set up your fw to talk to both agents servers.    Don't think it's possible to run two instances of the agent on the same machoine.  ... View more

Hi,   Thanks for your answer.   Unfortuneatelly, there is so much going on in the userid.log file, that the rotation time for the file is only approx 1 hour. So that doesn't give me enough history. It's a pretty large user-id deployment with approx 70k users.    What I'm interessing in is the actually port-mappings being done in the agent. That means which port blocks are allocated to which user. I do not believe the CLI or logs on firewall can give me history on this. It just give me the "running" info when I use the commands "show user ip-port-user-mapping ip/all".   Agent log file contains execatly what I need, but it's really annoying having to log on to the servers. To bad there is no support for sending theese logs with syslog.   - Tor ... View more

Hi,   I've done this a few time with both BGP and OSPF, but always with having the traffic physically leaving the firewall like you say.   It's usually been scenarios with multiple vsys, with OSPF/BGP needed between VRs in different vsys's. This has been stable and worked as expected. With a multi-vsys environment, I think it makes sense to have the traffic leave the device, as there are some throughput limitations on inter-vsys routing, and you would have one session pr vsys for each "session" anyway.   Never tried exactly the same scenario as you are describing though. Not sure if I would trust the routing functionally in Palo Alto enough to do that anyway. Have seen some strange bugs related to ospf in previous releases. But if you manage to get it working, it would be nice to know how 🙂   - Tor     ... View more

Just a quick comment to the first post here. With 7.0 now released, you can now setup Global Protect internal gateway without any additional license.  ... View more

Hi, I have not had any problem with this i 7.0. I just choose the WAN interface, which is configured with DHCP client, as my Portal and Gateway interface. IP-address is just set to "none" in the webui. Have you tried just doing that? Looking at the config in the CLI, I see the same thing with the command "show global-protect global-protect-portal <Portal-name>" in configure mode. Local-address is just the interface (no ip-address). If I run "show global-protect-gateway gateway" in opreation mode in CLI, I do see the ip-address I get from DHCP under local address, as expected. - Tor ... View more

You could also use the "target" option in the security policy in Panorama. Then you can select to push specific policies to specific devices within a device group. ... View more

Hi, Nice to know, but it's unfortunately not what I'm looking for. This would help in narrowing down the ldap part of user-id (group-mapping), but not the IP-user-mapping part. I need a way to filter away ip-user-mappings containing a prefix(i.e. adm or svc). Using the ignore_user_list.txt in agent or "set user-id-collector ignore-user" in agentless does not scale in a large environment. Regards, Tor ... View more

Hi Matt, I've got a similar scenario at one of my customers. Did disabling the server session read help you, or did you come up with a different solution? In my case, I also want to ignore events from admin and service accounts that actually creates entries in the security logs on the DC, so disabling server session read won't be a good enough solution for me. Any input would be appreciated! - Tor ... View more

Yes, they are in the same collector group. Commit is alos going through on both Panoramas. I can see in the logs in the passive Panorama that the configuration was successfully syncronized after the last Panorama commit on that active Panorama. ... View more