This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies. For details on cookie usage on our site, read our Privacy Policy
The scenario is 3 firewalls, with PA-HO acting as the hub and PA-1 and PA-2 as the branch sites. The Branch sites connect to the head office network via ipsec tunnels to PA-HO and vice-versa.
Due to multple dis-contigous subnets on the branches, it was decided to use 0.0.0.0/0 proxy-ids for the tunnels. This was proven to work for the PA-HO and PA-1 tunnel (both local and remote networks set to 0.0.0.0/0).
Would it be possible to set the proxy-id for tunnel between PA-HO and PA-2 as 0.0.0.0/0 as well.
Many thanks in advance for your comments/feedback.
... View more
Thanks Steven. Just to confirm that if I follow this route, then I would need to explicitly define all networks to be user-id'd under the include action. How the User-ID Agent Include/Exclude List Works
... View more
Hi All, Is there a way in PanOS 6.1.x to manually map a user-id to an ip-address. Or is there a way to set an IP-address to be exempt from the user-id mapping policy. I have PA-500s being staged behind a generic firewall inside a production network with a PA-3000 on the perimeter. The PA-500s NAT their external connections via the generic firewall and cannot establish connection to the PA update server without connecting a laptop behind the generic fw and authenticating via the captive portal. Regards, Charles
... View more