Streamlined and Resilient Redistribution

Redistribute data by configuring the source once and selecting what type of information the source redistributes.
Data redistribution is now more streamlined to configure and resilient after deployment. You can now configure the source once, then select the type of information you want it to redistribute and which devices should receive the redistributed information from that source, instead of configuring the source for each data type which can be time-consuming and repetitive.
You can redistribute:
Data redistribution uses two components:
  • The redistribution agent that provides information
  • The redistribution client that connects to the agent to receive information
In addition, these improvements help detect and prevent loops in redistribution (where a mapping that does not contain the original source as it traverses the network returns to its source, which could potentially treat it as a new mapping).
  1. On a redistribution client firewall, configure a firewall, Windows User-ID agent, or Panorama as an agent to redistribute the data to the clients.
    1. Select
      Device
      Data Redistribution
      Agents
      on the firewall or
      Panorama
      Data Redistribution
      Agents
      for Panorama.
    2. Add
      a redistribution agent.
    3. Enter a
      Name
      for the redistribution agent.
    4. Confirm that the agent is
      Enabled
      .
  2. Select whether you want to add the agent using its
    Serial Number
    or its
    Host and Port
    numbers.
    • To add an agent using a serial number, select the
      Serial Number
      of the firewall or Panorama you want to use as a redistribution agent.
    • To add an agent using its host and port numbers:
    1. Enter the
      Host
    2. Select whether the host is an
      LDAP Proxy
      .
    3. Enter the
      Port
      (range is 1 to 65535).
    4. (
      Virtual systems only
      ) Enter the
      Collector Name
      to identify which virtual system you want to use as a redistribution agent.
    5. (
      Virtual systems only
      ) Enter and confirm the
      Collector Pre-Shared Key
      for the virtual system you want to use as a redistribution agent.
  3. Select the
    Data type
    or types you want the agent to redistribute to the client.
    • IP User Mappings
      —IP address-to-username mappings for User-ID.
    • IP Tags
      —IP address-to-tag mappings for dynamic address groups.
    • User Tags
      —Username-to-tag mappings for dynamic user groups.
    • HIP
      —Host information profile (HIP) data from GlobalProtect, which includes HIP objects and profiles.
    • Quarantine List
      —Devices that GlobalProtect identifies as compromised.
  4. (
    Virtual systems only
    ) Configure a virtual system as a collector that can redistribute data.
    Skip this step if the firewall receives but does not redistribute data.
    1. Select
      Device
      Data Redistribution
      Collector Settings
      , then edit the
      Data Redistribution Agent Setup
      .
    2. Enter a
      Collector Name
      to identify the virtual system that you want receive redistribution information.
    3. Enter and confirm the
      Collector Pre-Shared Key
      for the virtual system that you want receive redistribution information.
    4. Click
      OK
      .
  5. (
    Optional but recommended
    ) Configure which networks you want the agent or agents to include in the data redistribution and which networks you want to exclude from data redistribution.
    You can include or exclude networks and subnetworks when redistributing either IP address-to-tag mappings or IP address-to-username mappings.
    As a best practice, always specify which networks to include and exclude from redistribution to ensure that the agent is only communicating with internal resources.
    1. Select
      Device
      Data Redistribution
      Include/Exclude Networks
      .
    2. Add
      an entry and enter a
      Name
      for the entry.
    3. Ensure the entry is
      Enabled
      .
    4. Select whether you want to
      Include
      or
      Exclude
      the entry.
    5. Enter the
      Network Address
      for the entry.
    6. Click
      OK
      .
  6. (
    Optional but recommended
    ) Enable Authentication with Custom Certificates for Redistribution to use a custom certificate for mutual authentication between the redistribution agents and the clients.
    Because Panorama can be either an agent or a client, use
    Panorama
    Data Redistribution
    to configure data redistribution on Panorama.
  7. Commit
    your changes.
  8. Verify the agents correctly redistribute data to the clients.
    1. View the agent statistics
      Device
      Data Redistribution
      Agents
      and select
      Status
      to view a summary of the activity for the redistribution agent, such as the number of mappings that the client firewall has received.
    2. Confirm that the
      Connected
      status is
      yes
      .
    3. Access the CLI and enter the following CLI command on the agent to check the status of the redistribution:
      show redistribution service status
      .
    4. Enter the following CLI command on the client to check the status of the redistribution:
      show redistribution service client all
      .
    5. Confirm the
      Source Name
      in the User-ID logs (
      Monitor
      Logs
      User-ID
      ) to verify that the firewall receives the mappings from the redistribution agents.
    6. On the client firewall, view the IP-Tag log (
      Monitor
      Logs
      IP-Tag
      ) to confirm that the client firewall receives data.
    7. Enter the following CLI command and verify that the source the firewall receives the mappings
      From
      is
      REDIST
      :
      show user ip-user-mapping all
      .
    8. Enter the following CLI command to view the redistribution clients:
      show redistribution service client all
      .
  9. (
    Optional
    ) To troubleshoot data redistribution, enable the traceroute option.
    When you enable the traceroute option, the firewall that receives the data appends its IP address to the
    <route>
    field, which is a list of all firewall IP addresses that the data has traversed. This option requires that all PAN-OS devices in the redistribution route use PAN-OS version 10.0. If a PAN-OS device in the redistribution route uses PAN-OS 9.1.x or earlier versions, the traceroute information terminates at that device.
    1. On the redistribution agent where the source originates, enter the following CLI command:
      debug user-id test cp-login traceroute yes ip-address
      <ip-address>
      user
      <username>
      (where
      <ip-address>
      is the IP address of the IP address-to-username mapping you want to verify and
      <username>
      is the username of the IP address-to-username mapping you want to verify.
    2. On a client of the firewall where you configured the traceroute, verify the firewall redistributes the data bidirectionally by entering the following CLI command:
      show user ip-user-mapping all
      .
      The firewall displays the timestamp for the creation of the mapping (
      SeqNumber
      ) and whether the user has GlobalProtect (
      GP User
      ).
      admin > show user ip-user-mapping-mp ip 192.0.2.0 IP address: 192.0.2.0 (vsys1) User: jimdoe From: REDIST Timeout: 889s Created: 11s ago Origin: 198.51.100.0 SeqNumber: 15895329682-67831262 GP User: No Local HIP: No Route Node 0: 198.51.100.0 (vsys1) Route Node 1: 198.51.100.1 (vsys1)

Recommended For You