Configure Data Redistribution
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
PAN-OS 11.0 (EoL)
- PAN-OS 11.1 & Later
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
- PAN-OS 10.0 (EoL)
- PAN-OS 9.1 (EoL)
- Cloud Management of NGFWs
-
- Management Interfaces
-
- Launch the Web Interface
- Configure Banners, Message of the Day, and Logos
- Use the Administrator Login Activity Indicators to Detect Account Misuse
- Manage and Monitor Administrative Tasks
- Commit, Validate, and Preview Firewall Configuration Changes
- Commit Selective Configuration Changes
- Export Configuration Table Data
- Use Global Find to Search the Firewall or Panorama Management Server
- Manage Locks for Restricting Configuration Changes
-
-
- Define Access to the Web Interface Tabs
- Provide Granular Access to the Monitor Tab
- Provide Granular Access to the Policy Tab
- Provide Granular Access to the Objects Tab
- Provide Granular Access to the Network Tab
- Provide Granular Access to the Device Tab
- Define User Privacy Settings in the Admin Role Profile
- Restrict Administrator Access to Commit and Validate Functions
- Provide Granular Access to Global Settings
- Provide Granular Access to the Panorama Tab
- Provide Granular Access to Operations Settings
- Panorama Web Interface Access Privileges
-
- Reset the Firewall to Factory Default Settings
-
- Plan Your Authentication Deployment
- Pre-Logon for SAML Authentication
- Configure SAML Authentication
- Configure Kerberos Single Sign-On
- Configure Kerberos Server Authentication
- Configure TACACS+ Authentication
- Configure RADIUS Authentication
- Configure LDAP Authentication
- Configure Local Database Authentication
- Configure an Authentication Profile and Sequence
- Test Authentication Server Connectivity
- Troubleshoot Authentication Issues
-
- Keys and Certificates
- Default Trusted Certificate Authorities (CAs)
- Certificate Deployment
- Configure the Master Key
- Export a Certificate and Private Key
- Configure a Certificate Profile
- Configure an SSL/TLS Service Profile
- Configure an SSH Service Profile
- Replace the Certificate for Inbound Management Traffic
- Configure the Key Size for SSL Forward Proxy Server Certificates
-
- HA Overview
-
- Prerequisites for Active/Active HA
- Configure Active/Active HA
-
- Use Case: Configure Active/Active HA with Route-Based Redundancy
- Use Case: Configure Active/Active HA with Floating IP Addresses
- Use Case: Configure Active/Active HA with ARP Load-Sharing
- Use Case: Configure Active/Active HA with Floating IP Address Bound to Active-Primary Firewall
- Use Case: Configure Active/Active HA with Source DIPP NAT Using Floating IP Addresses
- Use Case: Configure Separate Source NAT IP Address Pools for Active/Active HA Firewalls
- Use Case: Configure Active/Active HA for ARP Load-Sharing with Destination NAT
- Use Case: Configure Active/Active HA for ARP Load-Sharing with Destination NAT in Layer 3
- HA Clustering Overview
- HA Clustering Best Practices and Provisioning
- Configure HA Clustering
- Refresh HA1 SSH Keys and Configure Key Options
- HA Firewall States
- Reference: HA Synchronization
-
- Use the Dashboard
- Monitor Applications and Threats
- Monitor Block List
-
- Report Types
- View Reports
- Configure the Expiration Period and Run Time for Reports
- Disable Predefined Reports
- Custom Reports
- Generate Custom Reports
- Generate the SaaS Application Usage Report
- Manage PDF Summary Reports
- Generate User/Group Activity Reports
- Manage Report Groups
- Schedule Reports for Email Delivery
- Manage Report Storage Capacity
- View Policy Rule Usage
- Use External Services for Monitoring
- Configure Log Forwarding
- Configure Email Alerts
-
- Configure Syslog Monitoring
-
- Traffic Log Fields
- Threat Log Fields
- URL Filtering Log Fields
- Data Filtering Log Fields
- HIP Match Log Fields
- GlobalProtect Log Fields
- IP-Tag Log Fields
- User-ID Log Fields
- Decryption Log Fields
- Tunnel Inspection Log Fields
- SCTP Log Fields
- Authentication Log Fields
- Config Log Fields
- System Log Fields
- Correlated Events Log Fields
- GTP Log Fields
- Audit Log Fields
- Syslog Severity
- Custom Log/Event Format
- Escape Sequences
- Forward Logs to an HTTP/S Destination
- Firewall Interface Identifiers in SNMP Managers and NetFlow Collectors
- Monitor Transceivers
-
- User-ID Overview
- Enable User-ID
- Map Users to Groups
- Enable User- and Group-Based Policy
- Enable Policy for Users with Multiple Accounts
- Verify the User-ID Configuration
-
- App-ID Overview
- App-ID and HTTP/2 Inspection
- Manage Custom or Unknown Applications
- Safely Enable Applications on Default Ports
- Applications with Implicit Support
-
- Prepare to Deploy App-ID Cloud Engine
- Enable or Disable the App-ID Cloud Engine
- App-ID Cloud Engine Processing and Policy Usage
- New App Viewer (Policy Optimizer)
- Add Apps to an Application Filter with Policy Optimizer
- Add Apps to an Application Group with Policy Optimizer
- Add Apps Directly to a Rule with Policy Optimizer
- Replace an RMA Firewall (ACE)
- Impact of License Expiration or Disabling ACE
- Commit Failure Due to Cloud Content Rollback
- Troubleshoot App-ID Cloud Engine
- Application Level Gateways
- Disable the SIP Application-level Gateway (ALG)
- Maintain Custom Timeouts for Data Center Applications
-
- Decryption Overview
-
- Keys and Certificates for Decryption Policies
- SSL Forward Proxy
- SSL Forward Proxy Decryption Profile
- SSL Inbound Inspection
- SSL Inbound Inspection Decryption Profile
- SSL Protocol Settings Decryption Profile
- SSH Proxy
- SSH Proxy Decryption Profile
- Profile for No Decryption
- SSL Decryption for Elliptical Curve Cryptography (ECC) Certificates
- Perfect Forward Secrecy (PFS) Support for SSL Decryption
- SSL Decryption and Subject Alternative Names (SANs)
- TLSv1.3 Decryption
- High Availability Not Supported for Decrypted Sessions
- Decryption Mirroring
- Configure SSL Forward Proxy
- Configure SSL Inbound Inspection
- Configure SSH Proxy
- Configure Server Certificate Verification for Undecrypted Traffic
- Enable Users to Opt Out of SSL Decryption
- Temporarily Disable SSL Decryption
- Configure Decryption Port Mirroring
- Verify Decryption
- Activate Free Licenses for Decryption Features
-
- Policy Types
- Policy Objects
- Track Rules Within a Rulebase
- Enforce Policy Rule Description, Tag, and Audit Comment
- Move or Clone a Policy Rule or Object to a Different Virtual System
-
- External Dynamic List
- Built-in External Dynamic Lists
- Configure the Firewall to Access an External Dynamic List
- Retrieve an External Dynamic List from the Web Server
- View External Dynamic List Entries
- Exclude Entries from an External Dynamic List
- Enforce Policy on an External Dynamic List
- Find External Dynamic Lists That Failed Authentication
- Disable Authentication for an External Dynamic List
- Register IP Addresses and Tags Dynamically
- Use Dynamic User Groups in Policy
- Use Auto-Tagging to Automate Security Actions
- CLI Commands for Dynamic IP Addresses and Tags
- Application Override Policy
- Test Policy Rules
-
- Network Segmentation Using Zones
- How Do Zones Protect the Network?
-
PAN-OS 11.1 & Later
- PAN-OS 11.1 & Later
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
-
- Tap Interfaces
-
- Layer 2 and Layer 3 Packets over a Virtual Wire
- Port Speeds of Virtual Wire Interfaces
- LLDP over a Virtual Wire
- Aggregated Interfaces for a Virtual Wire
- Virtual Wire Support of High Availability
- Zone Protection for a Virtual Wire Interface
- VLAN-Tagged Traffic
- Virtual Wire Subinterfaces
- Configure Virtual Wires
- Configure a PPPoE Client on a Subinterface
- Configure an IPv6 PPPoE Client
- Configure an Aggregate Interface Group
- Configure Bonjour Reflector for Network Segmentation
- Use Interface Management Profiles to Restrict Access
-
- DHCP Overview
- Firewall as a DHCP Server and Client
- Firewall as a DHCPv6 Client
- DHCP Messages
- Dynamic IPv6 Addressing on the Management Interface
- Configure an Interface as a DHCP Server
- Configure an Interface as a DHCPv4 Client
- Configure an Interface as a DHCPv6 Client with Prefix Delegation
- Configure the Management Interface as a DHCP Client
- Configure the Management Interface for Dynamic IPv6 Address Assignment
- Configure an Interface as a DHCP Relay Agent
-
- DNS Overview
- DNS Proxy Object
- DNS Server Profile
- Multi-Tenant DNS Deployments
- Configure a DNS Proxy Object
- Configure a DNS Server Profile
- Use Case 1: Firewall Requires DNS Resolution
- Use Case 2: ISP Tenant Uses DNS Proxy to Handle DNS Resolution for Security Policies, Reporting, and Services within its Virtual System
- Use Case 3: Firewall Acts as DNS Proxy Between Client and Server
- DNS Proxy Rule and FQDN Matching
-
- NAT Rule Capacities
- Dynamic IP and Port NAT Oversubscription
- Dataplane NAT Memory Statistics
-
- Translate Internal Client IP Addresses to Your Public IP Address (Source DIPP NAT)
- Create a Source NAT Rule with Persistent DIPP
- PAN-OS
- Strata Cloud Manager
- Enable Clients on the Internal Network to Access your Public Servers (Destination U-Turn NAT)
- Enable Bi-Directional Address Translation for Your Public-Facing Servers (Static Source NAT)
- Configure Destination NAT with DNS Rewrite
- Configure Destination NAT Using Dynamic IP Addresses
- Modify the Oversubscription Rate for DIPP NAT
- Reserve Dynamic IP NAT Addresses
- Disable NAT for a Specific Host or Interface
-
- Network Packet Broker Overview
- How Network Packet Broker Works
- Prepare to Deploy Network Packet Broker
- Configure Transparent Bridge Security Chains
- Configure Routed Layer 3 Security Chains
- Network Packet Broker HA Support
- User Interface Changes for Network Packet Broker
- Limitations of Network Packet Broker
- Troubleshoot Network Packet Broker
-
- Enable Advanced Routing
- Logical Router Overview
- Configure a Logical Router
- Create a Static Route
- Configure BGP on an Advanced Routing Engine
- Create BGP Routing Profiles
- Create Filters for the Advanced Routing Engine
- Configure OSPFv2 on an Advanced Routing Engine
- Create OSPF Routing Profiles
- Configure OSPFv3 on an Advanced Routing Engine
- Create OSPFv3 Routing Profiles
- Configure RIPv2 on an Advanced Routing Engine
- Create RIPv2 Routing Profiles
- Create BFD Profiles
- Configure IPv4 Multicast
- Configure MSDP
- Create Multicast Routing Profiles
- Create an IPv4 MRoute
-
-
PAN-OS 11.2
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
- PAN-OS 10.0 (EoL)
- PAN-OS 9.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 8.1 (EoL)
- Cloud Management and AIOps for NGFW
End-of-Life (EoL)
Configure Data Redistribution
Before you configure data
redistribution:
- Plan the redistribution architecture. Some factors to consider are:
- Which firewalls will enforce policies for all data types and which firewalls will enforce region- or function-specific policies for a subset of data?
- How many hops does the redistribution sequence require to aggregate all data? The maximum allowed number of hops for user mappings is ten and the maximum allowed number of hops for IP address-to-username mappings and IP address-to-tag mappings is one.
- How can you minimize the number of firewalls that query the user mapping information sources? The fewer the number of querying firewalls, the lower the processing load is on both the firewalls and sources.
- Configure the data sources from which your redistribution agents
obtain the data to redistribute to their clients:
- user mappings from PAN-OS Integrated User-ID agents or Windows-based User-ID agents
- IP address-to-tag mappings for dynamic address groups
- username-to-tag mappings for dynamic user groups
- GlobalProtect for HIP-based Policy Enforcement
- data for device quarantine (Panorama only)
- Configure Authentication Policy.
Data redistribution consists
of:
- The redistribution agent that provides information
- The redistribution client that receives information
Perform
the following steps on the firewalls in the data redistribution
sequence.
- On a redistribution client firewall, configure a firewall, Panorama, or Windows User-ID agent as a data redistribution agent.
- Select DeviceData RedistributionAgents.
- Add a redistribution agent and enter a Name.
- Confirm that the agent is Enabled.
- Add the agent using its Serial Number or its Host and Port.
- To add an agent using a serial number, select the Serial Number of the firewall you want to use as a redistribution agent.
- To add an agent using its host and port information:
- Enter the information for the Host.
- Select whether the host is an LDAP Proxy.
- Enter the Port (default is 5007, range is 1—65535).
- (Multiple virtual systems only) Enter the Collector Name to identify which virtual system you want to use as a redistribution agent.
- (Multiple virtual systems only) Enter and confirm the Collector Pre-Shared Key for the virtual system you want to use as a redistribution agent.
- Select one or more Data Type for the agent to redistribute.
- IP User Mappings—IP address-to-username mappings for User-ID.
- IP Tags—IP address-to-tag mappings for dynamic address groups.
- User Tags—Username-to-tag mappings for dynamic user groups.
- HIP—Host information profile (HIP) data from GlobalProtect, which includes HIP objects and profiles.
- Quarantine List—Devices that GlobalProtect identifies as quarantined.
- (Multiple virtual systems only) Configure a virtual system as a collector that can redistribute data.Skip this step if the firewall receives but does not redistribute data.You can redistribute information among virtual systems on different firewalls or on the same firewall. In both cases, each virtual system counts as one hop in the redistribution sequence.
- Select DeviceData RedistributionCollector Settings.
- Edit the Data Redistribution Agent Setup.
- Enter a Collector Name and Pre-Shared Key to identify this firewall or virtual system as a User-ID agent.
- Click OK to save your changes.
- (Optional but recommended) Configure which networks you want to include in data redistribution and which networks you want to exclude from data redistribution.You can include or exclude networks and subnetworks when redistributing either IP address-to-tag mappings or IP address-to-username mappings.As a best practice, always specify which networks to include and exclude to ensure that the agent is only communicating with internal resources.
- Select DeviceData RedistributionInclude/Exclude Networks.
- Add an entry and enter a Name.
- Confirm that the entry is Enabled.
- Select whether you want to Include or Exclude the entry.
- Enter the Network Address for the entry.
- Click OK.
- Configure the service route that the firewall uses to query other firewalls for User-ID information.Skip this step if the firewall only receives user mapping information from Windows-based User-ID agents or directly from the information sources (such as directory servers) instead of from other firewalls.
- Select DeviceSetupServices.
- (Firewalls with multiple virtual systems only) Select Global (for a firewall-wide service route) or Virtual Systems (for a virtual system-specific service route), and then configure the service route.
- Click Service Route Configuration, select Customize, and select IPv4 or IPv6 based on your network protocols. Configure the service route for both protocols if your network uses both.
- Select UID Agent and then select the Source Interface and Source Address.
- Click OK twice to save the service route.
- Enable the firewall to respond when other firewalls query it for data to redistribute.Skip this step if the firewall receives but does not redistribute data.Configure an Interface Management Profile with the User-ID service enabled and assign the profile to a firewall interface.
- (Optional but recommended) Use a custom certificate from your enterprise PKI to establish a unique chain of trust from the redistribution client to the redistribution agent.
- On the redistribution client firewall, create a custom SSL certificate profile to use for outgoing connections.
- Select DeviceSetupManagementSecure Communication Settings.
- Edit the settings.
- Select the Customize Secure Server Communication option.
- Select the Certificate Profile you created in Substep 1.
- Click OK.
- Customize Communication for Data Redistribution.
- Commit your changes.
- Enter the following CLI command to confirm the certificate profile (SSL config) uses Custom certificates: show redistribution agent state <agent-name> (where <agent-name> is the name of the redistribution agent or User-ID agent.
- (Optional but recommended) Use a custom certificate from your enterprise PKI to establish a unique chain of trust from the redistribution agent to the redistribution client.
- On the redistribution agent firewall, create a custom SSL/TLS service profile for the firewall to use for incoming connections.
- Select DeviceSetupManagementSecure Communication Settings.
- Edit the settings.
- Select the Customize Secure Server Communication option.
- Select the SSL/TLS Service Profile you created in Step 1.
- Click OK.
- Commit your changes.
- Enter the following CLI command to confirm the certificate profile (SSL config) uses Custom certificates: show redistribution service status.
- Verify the agents correctly redistribute data to the clients.
- View the agent statistics (DeviceData RedistributionAgents) and select Status to view a summary of the activity for the redistribution agent, such as the number of mappings that the client firewall has received.
- Confirm that the Connected status is yes.
- On the agent, access the CLI and enter the following CLI command to check the status of the redistribution: show redistribution service status.
- On the agent, enter the following CLI command to view the redistribution clients: show redistribution service client all.
- On the client, enter the following CLI command to check the status of the redistribution: show redistribution service client all.
- Confirm the Source Name in the User-ID logs (MonitorLogsUser-ID) to verify that the firewall receives the mappings from the redistribution agents.
- On the client, view the IP-Tag log (MonitorLogsIP-Tag) to confirm that the client firewall receives data.
- On the client, enter the following CLI command and verify that the source the firewall receives the mappings From is REDIST: show user ip-user-mapping all.
- (Optional) To troubleshoot data redistribution, enable the traceroute option.When you enable the traceroute option, the firewall that receives the data appends its IP address to the <route> field, which is a list of all firewall IP addresses that the data has traversed. This option requires that all PAN-OS devices in the redistribution route use PAN-OS version 10.0. If a PAN-OS device in the redistribution route uses PAN-OS 9.1.x or earlier versions, the traceroute information terminates at that device.
- On the redistribution agent where the source originates, enter the following CLI command: debug user-id test cp-login traceroute yes ip-address <ip-address> user <username> (where <ip-address> is the IP address of the IP address-to-username mapping you want to verify and <username> is the username of the IP address-to-username mapping you want to verify.
- On a client of the firewall where you configured the traceroute, verify the firewall redistributes the data by entering the following CLI command: show user ip-user-mapping all.The firewall displays the timestamp for the creation of the mapping (SeqNumber) and whether the user has GlobalProtect (GP User).
admin > show user ip-user-mapping-mp ip 192.0.2.0 IP address: 192.0.2.0 (vsys1) User: jimdoe From: REDIST Timeout: 889s Created: 11s ago Origin: 198.51.100.0 SeqNumber: 15895329682-67831262 GP User: No Local HIP: No Route Node 0: 198.51.100.0 (vsys1) Route Node 1: 198.51.100.1 (vsys1)