Streamlined and Resilient Redistribution
Table of Contents
10.0 (EoL)
Expand all | Collapse all
-
- Automatic Content Updates Through Offline Panorama
- Enhanced Authentication for Dedicated Log Collectors and WildFire Appliances
- Syslog Forwarding Using Ethernet Interfaces
- Increased Configuration Size for Panorama
- Access Domain Enhancements for Multi-Tenancy
- Enhanced Performance for Panorama Query and Reporting
- Log Query Debugging
- Configurable Key Limits in Scheduled Reports
- Multiple Plugin Support for Panorama
End-of-Life (EoL)
Streamlined and Resilient Redistribution
Redistribute data by configuring the source once and
selecting what type of information the source redistributes.
Data redistribution is now
more streamlined to configure and resilient after deployment. You
can now configure the source once, then select the type of information you
want it to redistribute and which devices should receive the redistributed
information from that source, instead of configuring the source
for each data type which can be time-consuming and repetitive.
You
can redistribute:
- User-ID mappings (including Windows User-ID agents)
- IP address-to-tag mappings for dynamic address groups
- username-to-tag mappings for dynamic user groups
- data for HIP-based Policy Enforcement
- device quarantine information (Panorama only)
Data redistribution
uses two components:
- The redistribution agent that provides information
- The redistribution client that connects to the agent to receive information
In addition, these improvements
help detect and prevent loops in redistribution (where a mapping
that does not contain the original source as it traverses the network
returns to its source, which could potentially treat it as a new
mapping).
- On a redistribution client firewall, configure a firewall, Windows User-ID agent, or Panorama as an agent to redistribute the data to the clients.
- Selecton the firewall orDeviceData RedistributionAgentsfor Panorama.PanoramaData RedistributionAgents
- Adda redistribution agent.
- Enter aNamefor the redistribution agent.
- Confirm that the agent isEnabled.
- Select whether you want to add the agent using itsSerial Numberor itsHost and Portnumbers.
- To add an agent using a serial number, select theSerial Numberof the firewall or Panorama you want to use as a redistribution agent.
- To add an agent using its host and port numbers:
- Enter theHost
- Select whether the host is anLDAP Proxy.
- Enter thePort(range is 1 to 65535).
- (Virtual systems only) Enter theCollector Nameto identify which virtual system you want to use as a redistribution agent.
- (Virtual systems only) Enter and confirm theCollector Pre-Shared Keyfor the virtual system you want to use as a redistribution agent.
- Select theData typeor types you want the agent to redistribute to the client.
- IP User Mappings—IP address-to-username mappings for User-ID.
- IP Tags—IP address-to-tag mappings for dynamic address groups.
- User Tags—Username-to-tag mappings for dynamic user groups.
- HIP—Host information profile (HIP) data from GlobalProtect, which includes HIP objects and profiles.
- Quarantine List—Devices that GlobalProtect identifies as compromised.
- (Virtual systems only) Configure a virtual system as a collector that can redistribute data.Skip this step if the firewall receives but does not redistribute data.
- Select, then edit theDeviceData RedistributionCollector SettingsData Redistribution Agent Setup.
- Enter aCollector Nameto identify the virtual system that you want receive redistribution information.
- Enter and confirm theCollector Pre-Shared Keyfor the virtual system that you want receive redistribution information.
- ClickOK.
- (Optional but recommended) Configure which networks you want the agent or agents to include in the data redistribution and which networks you want to exclude from data redistribution.You can include or exclude networks and subnetworks when redistributing either IP address-to-tag mappings or IP address-to-username mappings.As a best practice, always specify which networks to include and exclude from redistribution to ensure that the agent is only communicating with internal resources.
- Select.DeviceData RedistributionInclude/Exclude Networks
- Addan entry and enter aNamefor the entry.
- Ensure the entry isEnabled.
- Select whether you want toIncludeorExcludethe entry.
- Enter theNetwork Addressfor the entry.
- ClickOK.
- (Optional but recommended) Enable Authentication with Custom Certificates for Redistribution to use a custom certificate for mutual authentication between the redistribution agents and the clients.Because Panorama can be either an agent or a client, useto configure data redistribution on Panorama.PanoramaData Redistribution
- Commityour changes.
- Verify the agents correctly redistribute data to the clients.
- View the agent statisticsand selectDeviceData RedistributionAgentsStatusto view a summary of the activity for the redistribution agent, such as the number of mappings that the client firewall has received.
- Confirm that theConnectedstatus isyes.
- Access the CLI and enter the following CLI command on the agent to check the status of the redistribution:show redistribution service status.
- Enter the following CLI command on the client to check the status of the redistribution:show redistribution service client all.
- Confirm theSource Namein the User-ID logs () to verify that the firewall receives the mappings from the redistribution agents.MonitorLogsUser-ID
- On the client firewall, view the IP-Tag log () to confirm that the client firewall receives data.MonitorLogsIP-Tag
- Enter the following CLI command and verify that the source the firewall receives the mappingsFromisREDIST:show user ip-user-mapping all.
- Enter the following CLI command to view the redistribution clients:show redistribution service client all.
- (Optional) To troubleshoot data redistribution, enable the traceroute option.When you enable the traceroute option, the firewall that receives the data appends its IP address to the<route>field, which is a list of all firewall IP addresses that the data has traversed. This option requires that all PAN-OS devices in the redistribution route use PAN-OS version 10.0. If a PAN-OS device in the redistribution route uses PAN-OS 9.1.x or earlier versions, the traceroute information terminates at that device.
- On the redistribution agent where the source originates, enter the following CLI command:debug user-id test cp-login traceroute yes ip-address(where<ip-address>user<username>is the IP address of the IP address-to-username mapping you want to verify and<ip-address>is the username of the IP address-to-username mapping you want to verify.<username>
- On a client of the firewall where you configured the traceroute, verify the firewall redistributes the data bidirectionally by entering the following CLI command:show user ip-user-mapping all.The firewall displays the timestamp for the creation of the mapping (SeqNumber) and whether the user has GlobalProtect (GP User).admin > show user ip-user-mapping-mp ip 192.0.2.0 IP address: 192.0.2.0 (vsys1) User: jimdoe From: REDIST Timeout: 889s Created: 11s ago Origin: 198.51.100.0 SeqNumber: 15895329682-67831262 GP User: No Local HIP: No Route Node 0: 198.51.100.0 (vsys1) Route Node 1: 198.51.100.1 (vsys1)