User-ID Agent Access Control List

User-ID Agent Access Control List

38738
Created On 09/25/18 19:25 PM - Last Modified 03/13/21 03:20 AM


Symptom


The article explains how the User-ID Agent Access Control List works.

Environment


  • Palo Alto Firewall.
  • Any PAN-OS.
  • Access Control List.

Resolution


Details

The User-ID Agent Access Control List is located under User Identification > Setup > Access Control list in the Palo Alto Networks User-ID Agent running on the Windows server.

 

The Access Control List allows configuring Palo Alto Networks firewalls to connect to the User-ID agent. In addition, it allows restricting unauthorized access to the agent from a non Palo Alto Networks device IP address. Access is controlled with allow and/or deny ACLs tied to a source IP address range. The ACLs are processed from top to bottom, just like a security policy on a firewall.

Done_ACL.PNG

 

Click "Add" and the following window appears. Following is an example of an entry with IP address range format for a single IP address.

UserIDAgentACL1.PNG

 

In the following example:

  • The firewall with IP address of 172.0.0.10 can access the User-ID Agent.
  • The firewall with IP address of 172.0.200.10 can access the User-ID Agent.
  • All other private IP addresses (RFC1918) are not allowed to contact the User-ID Agent.

UserIDAgentACL2.PNG

 

 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClYICA0&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language