Configure Data Redistribution

Before you configure data redistribution:
  • Plan the redistribution architecture. Some factors to consider are:
    • Which firewalls will enforce policies for all data types and which firewalls will enforce region- or function-specific policies for a subset of data?
    • How many hops does the redistribution sequence require to aggregate all data? The maximum allowed number of hops for user mappings is ten and the maximum allowed number of hops for IP address-to-username mappings and IP address-to-tag mappings is one.
    • How can you minimize the number of firewalls that query the user mapping information sources? The fewer the number of querying firewalls, the lower the processing load is on both the firewalls and sources.
  • Configure the data sources from which your redistribution agents obtain the data to redistribute to their clients:
Data redistribution consists of:
  • The redistribution agent that provides information
  • The redistribution client that receives information
Perform the following steps on the firewalls in the data redistribution sequence.
  1. On a redistribution client firewall, configure a firewall, Panorama, or Windows User-ID agent as a data redistribution agent.
    1. Select
      Device
      Data Redistribution
      Agents
      .
    2. Add
      a redistribution agent and enter a
      Name
      .
    3. Confirm that the agent is
      Enabled
      .
  2. Add the agent using its
    Serial Number
    or its
    Host and Port
    .
    • To add an agent using a serial number, select the
      Serial Number
      of the firewall you want to use as a redistribution agent.
    • To add an agent using its host and port information:
      1. Enter the information for the
        Host
        .
      2. Select whether the host is an
        LDAP Proxy
        .
      3. Enter the
        Port
        (default is 5007, range is 1—65535).
      4. (
        Multiple virtual systems only
        ) Enter the
        Collector Name
        to identify which virtual system you want to use as a redistribution agent.
      5. (
        Multiple virtual systems only
        ) Enter and confirm the
        Collector Pre-Shared Key
        for the virtual system you want to use as a redistribution agent.
  3. Select one or more
    Data Type
    for the agent to redistribute.
    • IP User Mappings
      —IP address-to-username mappings for User-ID.
    • IP Tags
      —IP address-to-tag mappings for dynamic address groups.
    • User Tags
      —Username-to-tag mappings for dynamic user groups.
    • HIP
      —Host information profile (HIP) data from GlobalProtect, which includes HIP objects and profiles.
    • Quarantine List
      —Devices that GlobalProtect identifies as quarantined.
  4. (
    Multiple virtual systems only
    ) Configure a virtual system as a collector that can redistribute data.
    Skip this step if the firewall receives but does not redistribute data.
    You can redistribute information among virtual systems on different firewalls or on the same firewall. In both cases, each virtual system counts as one hop in the redistribution sequence.
    1. Select
      Device
      Data Redistribution
      Collector Settings
      .
    2. Edit the
      Data Redistribution Agent Setup
      .
    3. Enter a
      Collector Name
      and
      Pre-Shared Key
      to identify this firewall or virtual system as a User-ID agent.
    4. Click
      OK
      to save your changes.
  5. (
    Optional but recommended
    ) Configure which networks you want to include in data redistribution and which networks you want to exclude from data redistribution.
    You can include or exclude networks and subnetworks when redistributing either IP address-to-tag mappings or IP address-to-username mappings.
    As a best practice, always specify which networks to include and exclude to ensure that the agent is only communicating with internal resources.
    1. Select
      Device
      Data Redistribution
      Include/Exclude Networks
      .
    2. Add
      an entry and enter a
      Name
      .
    3. Confirm that the entry is
      Enabled
      .
    4. Select whether you want to
      Include
      or
      Exclude
      the entry.
    5. Enter the
      Network Address
      for the entry.
    6. Click
      OK
      .
  6. Configure the service route that the firewall uses to query other firewalls for User-ID information.
    Skip this step if the firewall only receives user mapping information from Windows-based User-ID agents or directly from the information sources (such as directory servers) instead of from other firewalls.
    1. Select
      Device
      Setup
      Services
      .
    2. (
      Firewalls with multiple virtual systems only
      ) Select
      Global
      (for a firewall-wide service route) or
      Virtual Systems
      (for a virtual system-specific service route), and then configure the service route.
    3. Click
      Service Route Configuration
      , select
      Customize
      , and select
      IPv4
      or
      IPv6
      based on your network protocols. Configure the service route for both protocols if your network uses both.
    4. Select
      UID Agent
      and then select the
      Source Interface
      and
      Source Address
      .
    5. Click
      OK
      twice to save the service route.
  7. Enable the firewall to respond when other firewalls query it for data to redistribute.
    Skip this step if the firewall receives but does not redistribute data.
    Configure an Interface Management Profile with the
    User-ID
    service enabled and assign the profile to a firewall interface.
  8. (
    Optional but recommended
    ) Use a custom certificate from your enterprise PKI to establish a unique chain of trust from the redistribution client to the redistribution agent.
    1. On the redistribution client firewall, create a custom SSL certificate profile to use for outgoing connections.
    2. Select
      Device
      Setup
      Management
      Secure Communication Settings
      .
    3. Edit
      the settings.
    4. Select the
      Customize Secure Server Communication
      option.
    5. Select the
      Certificate Profile
      you created in Substep 1.
    6. Click
      OK
      .
    7. Customize Communication
      for
      Data Redistribution
      .
    8. Commit
      your changes.
    9. Enter the following CLI command to confirm the certificate profile (
      SSL config)
      uses
      Custom certificates
      :
      show redistribution agent state
      <agent-name>
      (where
      <agent-name>
      is the name of the redistribution agent or User-ID agent.
  9. (
    Optional but recommended
    ) Use a custom certificate from your enterprise PKI to establish a unique chain of trust from the redistribution agent to the redistribution client.
    1. On the redistribution agent firewall, create a custom SSL/TLS service profile for the firewall to use for incoming connections.
    2. Select
      Device
      Setup
      Management
      Secure Communication Settings
      .
    3. Edit
      the settings.
    4. Select the
      Customize Secure Server Communication
      option.
    5. Select the
      SSL/TLS Service Profile
      you created in Step 1.
    6. Click
      OK
      .
    7. Commit
      your changes.
    8. Enter the following CLI command to confirm the certificate profile (
      SSL config)
      uses
      Custom certificates
      :
      show redistribution service status
      .
  10. Verify the agents correctly redistribute data to the clients.
    1. View the agent statistics (
      Device
      Data Redistribution
      Agents
      ) and select
      Status
      to view a summary of the activity for the redistribution agent, such as the number of mappings that the client firewall has received.
    2. Confirm that the
      Connected
      status is
      yes
      .
    3. On the agent, access the CLI and enter the following CLI command to check the status of the redistribution:
      show redistribution service status
      .
    4. On the agent, enter the following CLI command to view the redistribution clients:
      show redistribution service client all
      .
    5. On the client, enter the following CLI command to check the status of the redistribution:
      show redistribution service client all
      .
    6. Confirm the
      Source Name
      in the User-ID logs (
      Monitor
      Logs
      User-ID
      ) to verify that the firewall receives the mappings from the redistribution agents.
    7. On the client, view the IP-Tag log (
      Monitor
      Logs
      IP-Tag
      ) to confirm that the client firewall receives data.
    8. On the client, enter the following CLI command and verify that the source the firewall receives the mappings
      From
      is
      REDIST
      :
      show user ip-user-mapping all
      .
  11. (
    Optional
    ) To troubleshoot data redistribution, enable the traceroute option.
    When you enable the traceroute option, the firewall that receives the data appends its IP address to the
    <route>
    field, which is a list of all firewall IP addresses that the data has traversed. This option requires that all PAN-OS devices in the redistribution route use PAN-OS version 10.0. If a PAN-OS device in the redistribution route uses PAN-OS 9.1.x or earlier versions, the traceroute information terminates at that device.
    1. On the redistribution agent where the source originates, enter the following CLI command:
      debug user-id test cp-login traceroute yes ip-address
      <ip-address>
      user
      <username>
      (where
      <ip-address>
      is the IP address of the IP address-to-username mapping you want to verify and
      <username>
      is the username of the IP address-to-username mapping you want to verify.
    2. On a client of the firewall where you configured the traceroute, verify the firewall redistributes the data by entering the following CLI command:
      show user ip-user-mapping all
      .
      The firewall displays the timestamp for the creation of the mapping (
      SeqNumber
      ) and whether the user has GlobalProtect (
      GP User
      ).
      admin > show user ip-user-mapping-mp ip 192.0.2.0 IP address: 192.0.2.0 (vsys1) User: jimdoe From: REDIST Timeout: 889s Created: 11s ago Origin: 198.51.100.0 SeqNumber: 15895329682-67831262 GP User: No Local HIP: No Route Node 0: 198.51.100.0 (vsys1) Route Node 1: 198.51.100.1 (vsys1)

Recommended For You