Focus

Strata Cloud Manager

NGFWs

Table of Contents

NGFWs

Streamline resource usage by configuring firewalls to collect mapping information from redistribution.

In a large-scale network, instead of configuring all your firewalls directly to query the mapping information sources, you can streamline resource usage by configuring some firewalls to collect mapping information through redistribution. Data redistribution also provides granularity, allowing you to redistribute only the types of information you specify to only the devices you select. You can also filter the IP user mappings or IP tag mappings using subnets and ranges to ensure the firewalls collect only the mappings they need to enforce policy rules.

To redistribute the data, you can use the following architecture types:

Hub and spoke architecture for a single region:

To redistribute data between firewalls, use a hub and spoke architecture as a best practice. In this configuration, a hub firewall collects the data from sources such as Windows User-ID agents, syslog servers, Domain Controllers, or other firewalls. Configure the redistribution client firewalls to collect the data from the hub firewall.

Multi-Hub and spoke architecture for multiple regions:

If you have firewalls deployed in multiple regions and want to distribute the data to the firewalls in all of these regions so that you can enforce policy rules consistently regardless of where the user logs in, you can use a multihub and spoke architecture for multiple regions.

Hierarchical architecture:

To redistribute data, you can also use a hierarchical architecture. For example, to redistribute data such as User-ID information, organize the redistribution sequence in layers, where each layer has one or more firewalls. In the bottom layer, PAN-OS integrated User-ID agents running on firewalls and Windows-based User-ID agents running on Windows servers map IP addresses to usernames. Each higher layer has firewalls that receive the mapping information and authentication timestamps from up to 100 redistribution points in the layer beneath it. The top-layer firewalls aggregate the mappings and timestamps from all layers. This deployment provides the option to configure policy rules for all users in top-layer firewalls and region- or function-specific policy rules for a subset of users in the corresponding domains served by lower-layer firewalls.

When traffic isn’t being enforced as expected, use

Troubleshooting

to check the dataplane status of specific firewalls to understand whether there’s a mismatch between expected policies (as configured) and enforced policies.

Strata Cloud Manager

Ensure your

Strata Cloud Manager

deployment meets the requirements to configure identity redistribution.

Configure and activate the Cloud Identity Engine (CIE) for your

Strata Cloud Manager

tenant.

This is required to use identity redistribution.

Activate the Cloud Identity Engine.

Set Up the Cloud Identity Engine.

Select

Manage

Configuration

NGFW and Prisma Access

Objects

Address Groups

and

Add

a Dynamic Address Group with the required IP address-to-tag mappings.

For the address group Type, select

Dynamic

. Configure the Dynamic Address Group as needed and

Save

Select

Manage

Configuration

NGFW and Prisma Access

Objects

Dynamic User Groups

and

Add

a Dynamic User Group with the required username-to-tag mappings.

Configure the Dynamic User Group as needed and

Save

Select

Manage

Configuration

NGFW and Prisma Access

Identity Services

Identity Redistribution

and select the Configuration Scope where you want to configure identity redistribution.

You can select a folder or firewall from your

Folders

or select

Snippets

to configure identity redistribution in a snippet.

Add Agent

Enter a descriptive

Name

for the agent.

Enter the

Host

IP address.

Enter the

Port

(range is

65535

Select the

Data Type Mapping

IP to User
—IP address-to-username mappings for User-ID.

Host Information Profile (HIP)
—IP address-to-tag mappings for Dynamic Address Groups.

IP to Tag
—Username-to-tag mappings for Dynamic User Groups.

User to Tag
—HIP data from GlobalProtect, which includes HIP objects and profiles.

Quarantined Device List
—Devices that GlobalProtect identifies as quarantined.

Save

(Cloud Management of NGFW only) Enable identity redistribution for firewalls.

Select

Manage

Configuration

NGFW and Prisma Access

Device Settings

Device Setup

Management

and select

Customize

to configure a service route for the

uid-agent

service.

Select the Configuration Scope where you want to create the service route. You can select a folder or firewall from your

Folders

or select

Snippets

to configure the service route in a snippet.

Enable the firewall to respond when other firewalls query it for data to redistribute.

Select

Manage

Configuration

NGFW and Prisma Access

Device Settings

Device Setup

Management

and enable the

User-ID

network service.

Select

Manage

Configuration

NGFW and Prisma Access

Device Settings

Interfaces

to create or select a Layer 3 interface.

Expand the

Advanced Settings

. In

Other

, create or edit the Management Profile to enable

User-ID

Select

Push Config.