Identity Redistribution (NGFW)
Focus
Focus
Strata Cloud Manager

Identity Redistribution (NGFW)

Table of Contents


Identity Redistribution (NGFW)

Streamline resource usage by configuring firewalls to collect mapping information from redistribution.
In a large-scale network, instead of configuring all your firewalls directly to query the mapping information sources, you can streamline resource usage by configuring some firewalls to collect mapping information through redistribution. Data redistribution also provides granularity, allowing you to redistribute only the types of information you specify to only the devices you select. You can also filter the IP user mappings or IP tag mappings using subnets and ranges to ensure the firewalls collect only the mappings they need to enforce policy rules.
To redistribute the data, you can use the following architecture types:
  • Hub and spoke architecture for a single region:
    To redistribute data between firewalls, use a hub and spoke architecture as a best practice. In this configuration, a hub firewall collects the data from sources such as Windows User-ID agents, syslog servers, Domain Controllers, or other firewalls. Configure the redistribution client firewalls to collect the data from the hub firewall.
  • Multi-Hub and spoke architecture for multiple regions:
    If you have firewalls deployed in multiple regions and want to distribute the data to the firewalls in all of these regions so that you can enforce policy rules consistently regardless of where the user logs in, you can use a multihub and spoke architecture for multiple regions.
  • Hierarchical architecture:
    To redistribute data, you can also use a hierarchical architecture. For example, to redistribute data such as User-ID information, organize the redistribution sequence in layers, where each layer has one or more firewalls. In the bottom layer, PAN-OS integrated User-ID agents running on firewalls and Windows-based User-ID agents running on Windows servers map IP addresses to usernames. Each higher layer has firewalls that receive the mapping information and authentication timestamps from up to 100 redistribution points in the layer beneath it. The top-layer firewalls aggregate the mappings and timestamps from all layers. This deployment provides the option to configure policy rules for all users in top-layer firewalls and region- or function-specific policy rules for a subset of users in the corresponding domains served by lower-layer firewalls.
When traffic isn’t being enforced as expected, use Troubleshooting to check the dataplane status of specific firewalls to understand whether there’s a mismatch between expected policies (as configured) and enforced policies.
  1. Log in to Strata Cloud Manager.
  2. Ensure your Strata Cloud Manager deployment meets the requirements to configure identity redistribution.
    1. Configure and activate the Cloud Identity Engine (CIE) for your Strata Cloud Manager tenant.
      This is required to use identity redistribution.
      1. Set Up the Cloud Identity Engine.
    2. Select ManageConfigurationNGFW and Prisma AccessObjectsAddress Groups and Add a Dynamic Address Group with the required IP address-to-tag mappings.
      For the address group Type, select Dynamic. Configure the Dynamic Address Group as needed and Save.
    3. Select ManageConfigurationNGFW and Prisma AccessObjectsDynamic User Groups and Add a Dynamic User Group with the required username-to-tag mappings.
      Configure the Dynamic User Group as needed and Save.
  3. Select ManageConfigurationNGFW and Prisma AccessIdentity ServicesIdentity Redistribution and select the Configuration Scope where you want to configure identity redistribution.
    You can select a folder or firewall from your Folders or select Snippets to configure identity redistribution in a snippet.
  4. Add Agent.
  5. Enter a descriptive Name for the agent.
  6. Enter the Host IP address.
  7. Enter the Port (range is 1-65535).
  8. Select the Data Type Mapping.
    • IP to User—IP address-to-username mappings for User-ID.
    • Host Information Profile (HIP)—IP address-to-tag mappings for Dynamic Address Groups.
    • IP to Tag—Username-to-tag mappings for Dynamic User Groups.
    • User to Tag—HIP data from GlobalProtect, which includes HIP objects and profiles.
    • Quarantined Device List—Devices that GlobalProtect identifies as quarantined.
  9. Save.
  10. (Cloud Management of NGFW only) Enable identity redistribution for firewalls.
    1. Select ManageConfigurationNGFW and Prisma AccessDevice SettingsDevice SetupManagement and select Customize to configure a service route for the uid-agent service.
      Select the Configuration Scope where you want to create the service route. You can select a folder or firewall from your Folders or select Snippets to configure the service route in a snippet.
    2. Enable the firewall to respond when other firewalls query it for data to redistribute.
      1. Select ManageConfigurationNGFW and Prisma AccessDevice SettingsDevice SetupManagement and enable the User-ID network service.
      2. Select ManageConfigurationNGFW and Prisma AccessDevice SettingsInterfaces to create or select a Layer 3 interface.
        Expand the Advanced Settings. In Other, create or edit the Management Profile to enable User-ID.
      • Select