Streamlined and Resilient Redistribution

On a redistribution client firewall, configure a firewall, Windows User-ID agent, or Panorama as an agent to redistribute the data to the clients.

Select
Device
Data Redistribution
Agents
on the firewall or
Panorama
Data Redistribution
Agents
for Panorama.
Add
a redistribution agent.
Enter a
Name
for the redistribution agent.
Confirm that the agent is
Enabled
.

Select whether you want to add the agent using its

Serial Number

or its

Host and Port

numbers.

To add an agent using a serial number, select the
Serial Number
of the firewall or Panorama you want to use as a redistribution agent.
To add an agent using its host and port numbers:

Enter the
Host
Select whether the host is an
LDAP Proxy
.
Enter the
Port
(range is 1 to 65535).
(
Virtual systems only
) Enter the
Collector Name
to identify which virtual system you want to use as a redistribution agent.
(
Virtual systems only
) Enter and confirm the
Collector Pre-Shared Key
for the virtual system you want to use as a redistribution agent.

Select the

Data type

or types you want the agent to redistribute to the client.

IP User Mappings
—IP address-to-username mappings for User-ID.
IP Tags
—IP address-to-tag mappings for dynamic address groups.
User Tags
—Username-to-tag mappings for dynamic user groups.
HIP
—Host information profile (HIP) data from GlobalProtect, which includes HIP objects and profiles.
Quarantine List
—Devices that GlobalProtect identifies as compromised.

(

Virtual systems only

) Configure a virtual system as a collector that can redistribute data.

Skip this step if the firewall receives but does not redistribute data.

Select
Device
Data Redistribution
Collector Settings
, then edit the
Data Redistribution Agent Setup
.
Enter a
Collector Name
to identify the virtual system that you want receive redistribution information.
Enter and confirm the
Collector Pre-Shared Key
for the virtual system that you want receive redistribution information.
Click
OK
.

(

Optional but recommended

) Configure which networks you want the agent or agents to include in the data redistribution and which networks you want to exclude from data redistribution.

You can include or exclude networks and subnetworks when redistributing either IP address-to-tag mappings or IP address-to-username mappings.

As a best practice, always specify which networks to include and exclude from redistribution to ensure that the agent is only communicating with internal resources.

Select
Device
Data Redistribution
Include/Exclude Networks
.
Add
an entry and enter a
Name
for the entry.
Ensure the entry is
Enabled
.
Select whether you want to
Include
or
Exclude
the entry.
Enter the
Network Address
for the entry.
Click
OK
.

(

Optional but recommended

) Enable Authentication with Custom Certificates for Redistribution to use a custom certificate for mutual authentication between the redistribution agents and the clients.

Because Panorama can be either an agent or a client, use

Panorama

Data Redistribution

to configure data redistribution on Panorama.

Commit

your changes.

Verify the agents correctly redistribute data to the clients.

View the agent statistics
Device
Data Redistribution
Agents
and select
Status
to view a summary of the activity for the redistribution agent, such as the number of mappings that the client firewall has received.
Confirm that the
Connected
status is
yes
.
Access the CLI and enter the following CLI command on the agent to check the status of the redistribution:
show redistribution service status
.
Enter the following CLI command on the client to check the status of the redistribution:
show redistribution service client all
.
Confirm the
Source Name
in the User-ID logs (
Monitor
Logs
User-ID
) to verify that the firewall receives the mappings from the redistribution agents.
On the client firewall, view the IP-Tag log (
Monitor
Logs
IP-Tag
) to confirm that the client firewall receives data.
Enter the following CLI command and verify that the source the firewall receives the mappings
From
is
REDIST
:
show user ip-user-mapping all
.
Enter the following CLI command to view the redistribution clients:
show redistribution service client all
.

(

Optional

) To troubleshoot data redistribution, enable the traceroute option.

When you enable the traceroute option, the firewall that receives the data appends its IP address to the

<route>

field, which is a list of all firewall IP addresses that the data has traversed. This option requires that all PAN-OS devices in the redistribution route use PAN-OS version 10.0. If a PAN-OS device in the redistribution route uses PAN-OS 9.1.x or earlier versions, the traceroute information terminates at that device.

On the redistribution agent where the source originates, enter the following CLI command:

debug user-id test cp-login traceroute yes ip-address

<ip-address>

user

<username>

(where

<ip-address>

is the IP address of the IP address-to-username mapping you want to verify and

<username>

is the username of the IP address-to-username mapping you want to verify.

On a client of the firewall where you configured the traceroute, verify the firewall redistributes the data bidirectionally by entering the following CLI command:

show user ip-user-mapping all

.

The firewall displays the timestamp for the creation of the mapping (

SeqNumber

) and whether the user has GlobalProtect (

GP User

).

admin > show user ip-user-mapping-mp ip 192.0.2.0

IP address: 	192.0.2.0 (vsys1)
User: 			jimdoe
From:			REDIST
Timeout:		889s
Created:		11s ago
Origin:			198.51.100.0
SeqNumber:		15895329682-67831262
GP User:		No
Local HIP:		No
Route Node 0:	198.51.100.0 (vsys1)
Route Node 1:	198.51.100.1 (vsys1)