Strata Cloud Manager
Manage: Identity Redistribution
Table of Contents
Manage: Identity Redistribution
Use Strata Cloud Manager to set up and manage identity redistribution for NGFWs and
Prisma Access.
Where Can I Use
This? | What Do I Need? |
|---|---|
|
|
Prisma Access
So that you can enforce your security policy consistently, Prisma Access shares
identity data that GlobalProtect discovers locally across your entire Prisma Access
environment.
So that you can enforce your security policy consistently, Prisma Access shares
identity data that GlobalProtect discovers locally across your entire Prisma Access
environment. Prisma Access can also share identity data with on-premises devices at
remote network sites or service connection sites (HQ and data centers).
For Prisma Access Cloud Management, we’ve enabled some identity data redistribution
by default, and for what’s left, we’ve made the configuration to enable
redistribution very simple (just select a checkbox to select what data you want to
share).
From the Identity Distribution dashboard, you can see how identity data is being
shared and manage data redistribution (.
Identity data that you can redistribute includes:
- HIP data
- IP-address-to-tag mappings
- IP-address-to-user mappings
- User-to-tag mappings
- Quarantined devices
Get started with identity redistribution:
How Identity Redistribution Works
For mobile users to access a resource at a remote network location or HQ/data
center that’s secured by a device with user-based policies, you must
redistribute the identity data from the Prisma Access mobile users and users at
remote networks to that on-premises device.
When the users connect to Prisma Access, Prisma Access collects the user’s
identity data and stores it.
The following example shows two mobile users that have an existing IP
address-to-username mapping in Prisma Access. Prisma Access then redistributes
this mapping by way of a service connection to the on-premises devices that’s
securing the HQ/data center.
Prisma Access Cloud Management automatically enables service connections to work
as identity redistribution agents (also called User-ID agents).
Set Up Identity Redistribution
- Confirm Your Service Connection SetupIf you haven’t yet set up a service connection for your HQ or data centers, begin by configuring a service connection. A service connection is required for Prisma Access to share identity data across your environment; Prisma Access automatically enables service connections to work as redistribution agents. A newly-created service connection site will be ready to be used as a redistribution agent when you see that it's been assigned a User-ID Agent Address (Prisma Access does this automatically, and it'll just take a few minutes). Go to and set the configuration scope toService Connectionsto verify the service connection User-ID agent details.
- Send Identity Data from Prisma Access to On-Premises DevicesThe service connection’s User-ID agent information is all you need to configure Prisma Access to distribute identity data to on-premises devices.Go to and set the configuration scope toService Connectionsto get the service connection User-ID agent details.Use these details to configure Prisma Access as a data redistribution agent on Panorama or a next-gen firewall.
- Send Identity Data from On-Premises Devices to Prisma AccessAdd on-premises devices to Prisma Access as redistribution agents; the devices you add will be able to distribute identity data to Prisma Access.
- From devices at remote network sites:Go to theIdentity Redistributiondashboard, set the configuration scope toRemote Networks, andAdd Agent. In addition to specifying the host details, select the type of data the device shares with Prisma Access. Optional settings include the name and a pre-shared key for the device.
- From devices at service connection sites:Go to theIdentity Redistributiondashboard, set the configuration scope toService Connections, andAdd Agent. In addition to specifying the host details, select the type of data the device shares with Prisma Access. Optional settings include the name and a pre-shared key for the device.
- Configure the Terminal Server Agent for User MappingThe Terminal Server (TS) Agent allocates a port range to each user to identify specific users on Windows-based terminal servers. The TS Agent notifies Prisma Access of the allocated port ranges, so that Prisma Access can enforce policy based on users and user groups.On theIdentity Redistributiondashboard, set the configuration scope toRemote Networks, andAdd Terminal Server AgentunderTerminal Server Sending to Remote Networks Nodes.
- By default, the configuration isEnabled.
- Enter aNamefor the TS Agent.
- Enter the IP address of the WindowsHoston which the TS Agent is installed.
- Enter thePortnumber on which the agent listens for user mapping requests. The port is set to 5009 by default.
- Saveyour changes.
- Distribute Identity Data Across Your Prisma Access EnvironmentOn theIdentity Redistributiondashboard,Editthe diagram to specify the identity data you want to collect from each source and share across Prisma Access.
- To activate your changes, push the configuration to Prisma Access.
NGFWs
Streamline resource usage by configuring firewalls to collect mapping information
from redistribution.
In a large-scale network, instead of configuring all your firewalls directly to query
the mapping information sources, you can streamline resource usage by configuring
some firewalls to collect mapping information through redistribution. Data
redistribution also provides granularity, allowing you to redistribute only the
types of information you specify to only the devices you select. You can also filter
the IP user mappings or IP tag mappings using subnets and ranges to ensure the
firewalls collect only the mappings they need to enforce policy rules.
To redistribute the data, you can use the following architecture types:
- Hub and spoke architecture for a single region:To redistribute data between firewalls, use a hub and spoke architecture as a best practice. In this configuration, a hub firewall collects the data from sources such as Windows User-ID agents, syslog servers, Domain Controllers, or other firewalls. Configure the redistribution client firewalls to collect the data from the hub firewall.
- Multi-Hub and spoke architecture for multiple regions:If you have firewalls deployed in multiple regions and want to distribute the data to the firewalls in all of these regions so that you can enforce policy rules consistently regardless of where the user logs in, you can use a multihub and spoke architecture for multiple regions.
- Hierarchical architecture:To redistribute data, you can also use a hierarchical architecture. For example, to redistribute data such as User-ID information, organize the redistribution sequence in layers, where each layer has one or more firewalls. In the bottom layer, PAN-OS integrated User-ID agents running on firewalls and Windows-based User-ID agents running on Windows servers map IP addresses to usernames. Each higher layer has firewalls that receive the mapping information and authentication timestamps from up to 100 redistribution points in the layer beneath it. The top-layer firewalls aggregate the mappings and timestamps from all layers. This deployment provides the option to configure policy rules for all users in top-layer firewalls and region- or function-specific policy rules for a subset of users in the corresponding domains served by lower-layer firewalls.
When traffic isn’t being enforced as
expected, use
Troubleshooting
to
check the dataplane status of specific firewalls to understand whether there’s a
mismatch between expected policies (as configured) and enforced policies.- Log in toStrata Cloud Manager.
- Ensure yourStrata Cloud Managerdeployment meets the requirements to configure identity redistribution.
- Configure and activate the Cloud Identity Engine (CIE) for yourStrata Cloud Managertenant.This is required to use identity redistribution.
- Select andAdda Dynamic Address Group with the required IP address-to-tag mappings.For the address group Type, selectDynamic. Configure the Dynamic Address Group as needed andSave.
- Select andAdda Dynamic User Group with the required username-to-tag mappings.Configure the Dynamic User Group as needed andSave.
- Select and select the Configuration Scope where you want to configure identity redistribution.You can select a folder or firewall from yourFoldersor selectSnippetsto configure identity redistribution in a snippet.
- Add Agent.
- Enter a descriptiveNamefor the agent.
- Enter theHostIP address.
- Enter thePort(range is1-65535).
- Select theData Type Mapping.
- IP to User—IP address-to-username mappings for User-ID.
- Host Information Profile (HIP)—IP address-to-tag mappings for Dynamic Address Groups.
- IP to Tag—Username-to-tag mappings for Dynamic User Groups.
- User to Tag—HIP data from GlobalProtect, which includes HIP objects and profiles.
- Quarantined Device List—Devices that GlobalProtect identifies as quarantined.
- Save.
- (Cloud Management of NGFW only) Enable identity redistribution for firewalls.
- Select and selectCustomizeto configure a service route for theuid-agentservice.Select the Configuration Scope where you want to create the service route. You can select a folder or firewall from yourFoldersor selectSnippetsto configure the service route in a snippet.
- Enable the firewall to respond when other firewalls query it for data to redistribute.
- Select and enable theUser-IDnetwork service.
- Select to create or select a Layer 3 interface.Expand theAdvanced Settings. InOther, create or edit the Management Profile to enableUser-ID.
- Select