Configure Data Redistribution
Focus
Focus

Configure Data Redistribution

Table of Contents

Configure Data Redistribution

Before you configure data redistribution:
  • Plan the redistribution architecture. Some factors to consider are:
    • Which firewalls will enforce policies for all data types and which firewalls will enforce region- or function-specific policies for a subset of data?
    • How many hops does the redistribution sequence require to aggregate all data? The maximum allowed number of hops for user mappings is ten and the maximum allowed number of hops for IP address-to-username mappings and IP address-to-tag mappings is one.
    • How can you minimize the number of firewalls that query the user mapping information sources? The fewer the number of querying firewalls, the lower the processing load is on both the firewalls and sources.
  • Configure the data sources from which your redistribution agents obtain the data to redistribute to their clients:
  • Configure Authentication Policy.
Data redistribution consists of:
  • The redistribution agent that provides information
  • The redistribution client that receives information
Perform the following steps on the firewalls in the data redistribution sequence.
  1. On a redistribution client firewall, configure a firewall, Panorama, or Windows User-ID agent as a data redistribution agent.
    1. Select DeviceData RedistributionAgents.
    2. Add a redistribution agent and enter a Name.
    3. Confirm that the agent is Enabled.
  2. Add the agent using its Serial Number or its Host and Port.
    • To add an agent using a serial number, select the Serial Number of the firewall you want to use as a redistribution agent.
    • To add an agent using its host and port information:
      1. Enter the information for the Host.
      2. Select whether the host is an LDAP Proxy.
      3. Enter the Port (default is 5007, range is 1—65535).
      4. (Multiple virtual systems only) Enter the Collector Name to identify which virtual system you want to use as a redistribution agent.
      5. (Multiple virtual systems only) Enter and confirm the Collector Pre-Shared Key for the virtual system you want to use as a redistribution agent.
  3. Select one or more Data Type for the agent to redistribute.
    • IP User Mappings—IP address-to-username mappings for User-ID.
    • IP Tags—IP address-to-tag mappings for dynamic address groups.
    • User Tags—Username-to-tag mappings for dynamic user groups.
    • HIP—Host information profile (HIP) data from GlobalProtect, which includes HIP objects and profiles.
    • Quarantine List—Devices that GlobalProtect identifies as quarantined.
  4. (Multiple virtual systems only) Configure a virtual system as a collector that can redistribute data.
    Skip this step if the firewall receives but does not redistribute data.
    You can redistribute information among virtual systems on different firewalls or on the same firewall. In both cases, each virtual system counts as one hop in the redistribution sequence.
    1. Select DeviceData RedistributionCollector Settings.
    2. Edit the Data Redistribution Agent Setup.
    3. Enter a Collector Name and Pre-Shared Key to identify this firewall or virtual system as a User-ID agent.
    4. Click OK to save your changes.
  5. (Optional but recommended) Configure which networks you want to include in data redistribution and which networks you want to exclude from data redistribution.
    You can include or exclude networks and subnetworks when redistributing either IP address-to-tag mappings or IP address-to-username mappings.
    As a best practice, always specify which networks to include and exclude to ensure that the agent is only communicating with internal resources.
    1. Select DeviceData RedistributionInclude/Exclude Networks.
    2. Add an entry and enter a Name.
    3. Confirm that the entry is Enabled.
    4. Select whether you want to Include or Exclude the entry.
    5. Enter the Network Address for the entry.
    6. Click OK.
  6. Configure the service route that the firewall uses to query other firewalls for User-ID information.
    Skip this step if the firewall only receives user mapping information from Windows-based User-ID agents or directly from the information sources (such as directory servers) instead of from other firewalls.
    1. Select DeviceSetupServices.
    2. (Firewalls with multiple virtual systems only) Select Global (for a firewall-wide service route) or Virtual Systems (for a virtual system-specific service route), and then configure the service route.
    3. Click Service Route Configuration, select Customize, and select IPv4 or IPv6 based on your network protocols. Configure the service route for both protocols if your network uses both.
    4. Select UID Agent and then select the Source Interface and Source Address.
    5. Click OK twice to save the service route.
  7. Enable the firewall to respond when other firewalls query it for data to redistribute.
    Skip this step if the firewall receives but does not redistribute data.
    Configure an Interface Management Profile with the User-ID service enabled and assign the profile to a firewall interface.
  8. (Optional but recommended) Use a custom certificate from your enterprise PKI to establish a unique chain of trust from the redistribution client to the redistribution agent.
    1. On the redistribution client firewall, create a custom SSL certificate profile to use for outgoing connections.
    2. Select DeviceSetupManagementSecure Communication Settings.
    3. Edit the settings.
    4. Select the Customize Secure Server Communication option.
    5. Select the Certificate Profile you created in Substep 1.
    6. Click OK.
    7. Customize Communication for Data Redistribution.
    8. Commit your changes.
    9. Enter the following CLI command to confirm the certificate profile (SSL config) uses Custom certificates: show redistribution agent state <agent-name> (where <agent-name> is the name of the redistribution agent or User-ID agent.
  9. (Optional but recommended) Use a custom certificate from your enterprise PKI to establish a unique chain of trust from the redistribution agent to the redistribution client.
    1. On the redistribution agent firewall, create a custom SSL/TLS service profile for the firewall to use for incoming connections.
    2. Select DeviceSetupManagementSecure Communication Settings.
    3. Edit the settings.
    4. Select the Customize Secure Server Communication option.
    5. Select the SSL/TLS Service Profile you created in Step 1.
    6. Click OK.
    7. Commit your changes.
    8. Enter the following CLI command to confirm the certificate profile (SSL config) uses Custom certificates: show redistribution service status.
  10. Verify the agents correctly redistribute data to the clients.
    1. View the agent statistics (DeviceData RedistributionAgents) and select Status to view a summary of the activity for the redistribution agent, such as the number of mappings that the client firewall has received.
    2. Confirm that the Connected status is yes.
    3. On the agent, access the CLI and enter the following CLI command to check the status of the redistribution: show redistribution service status.
    4. On the agent, enter the following CLI command to view the redistribution clients: show redistribution service client all.
    5. On the client, enter the following CLI command to check the status of the redistribution: show redistribution service client all.
    6. Confirm the Source Name in the User-ID logs (MonitorLogsUser-ID) to verify that the firewall receives the mappings from the redistribution agents.
    7. On the client, view the IP-Tag log (MonitorLogsIP-Tag) to confirm that the client firewall receives data.
    8. On the client, enter the following CLI command and verify that the source the firewall receives the mappings From is REDIST: show user ip-user-mapping all.
  11. (Optional) To troubleshoot data redistribution, enable the traceroute option.
    When you enable the traceroute option, the firewall that receives the data appends its IP address to the <route> field, which is a list of all firewall IP addresses that the data has traversed. This option requires that all PAN-OS devices in the redistribution route use PAN-OS version 10.0. If a PAN-OS device in the redistribution route uses PAN-OS 9.1.x or earlier versions, the traceroute information terminates at that device.
    1. On the redistribution agent where the source originates, enter the following CLI command: debug user-id test cp-login traceroute yes ip-address <ip-address> user <username> (where <ip-address> is the IP address of the IP address-to-username mapping you want to verify and <username> is the username of the IP address-to-username mapping you want to verify.
    2. On a client of the firewall where you configured the traceroute, verify the firewall redistributes the data by entering the following CLI command: show user ip-user-mapping all.
      The firewall displays the timestamp for the creation of the mapping (SeqNumber) and whether the user has GlobalProtect (GP User).
      admin > show user ip-user-mapping-mp ip 192.0.2.0
      
      IP address: 	192.0.2.0 (vsys1)
      User: 			jimdoe
      From:			REDIST
      Timeout:		889s
      Created:		11s ago
      Origin:			198.51.100.0
      SeqNumber:		15895329682-67831262
      GP User:		No
      Local HIP:		No
      Route Node 0:	198.51.100.0 (vsys1)
      Route Node 1:	198.51.100.1 (vsys1)