End-of-Life (EoL)

Configure User-ID Redistribution

  1. Plan the redistribution architecture.
    • Decide which User-ID agents and methods to use for mapping IP addresses to usernames. You can redistribute user mapping information collected through any method except Terminal Services (TS) agents. You cannot redistribute Group Mapping or HIP match information.
    • Determine the most efficient Firewall Deployment for User-ID Redistribution. Some factors to consider are:
      • Which firewalls will enforce global policies for all users and which firewalls will enforce region- or function-specific policies for a subset of users?
      • How many hops does the redistribution sequence require to aggregate mapping information for firewalls in different functional or regional layers to enforce policy?
      • How can you minimize the number of firewalls that query the information sources? The fewer the number of querying firewalls, the lower the processing load is on both the firewalls and sources.
  2. Enable each bottom-layer firewall to forward mapping information to firewalls in the layer above.
    1. Configure the firewall to function as a User-ID agent.
      1. Select
        Device
        User Identification
        User Mapping
        .
      2. (
        Firewalls with multiple virtual systems only
        ) Select the
        Location
        . You must configure the User-ID settings for each virtual system.
        You can redistribute mapping information among virtual systems on different firewalls or on the same firewall. In both cases, each virtual system counts as one hop in the redistribution sequence.
      3. Edit the Palo Alto Networks User-ID Agent Setup and select
        Redistribution
        .
      4. Enter a
        Collector Name
        to identify this firewall as a User-ID agent.
      5. Enter and confirm a
        Pre-Shared Key
        to secure communication between this firewall and the higher-layer firewalls. On a multi-vsys firewall, each vsys requires a unique pre-shared key.
      6. Click
        OK
        .
    2. Configure an Interface Management profile with the
      User-ID
      service enabled and assign the profile to the interface you want the firewall to use when responding to mapping information queries from firewalls in the layer above.
    3. (
      Optional
      ) Configure policies that are specific to the user accounts for which you want this firewall to collect mapping information.
    4. Commit
      your changes.
  3. Enable each middle layer firewall to receive mapping information from the layer below and forward it to the layer above.
    You must also perform this task for any firewall that redistributes mapping information to other firewalls in the same layer. For example, Figure 1 shows one data center firewall that redistributes to other data center firewalls.
    Each firewall can receive mapping information from up to 100 User-ID agents.
    Figure 1 shows only one middle layer of firewalls but you can deploy as many layers as the redistribution limit of ten hops allows.
    1. Configure the firewall to receive mapping information from firewalls acting as User-ID agents in the layer below.
      1. Select
        Device
        User Identification
        User-ID Agents
        and click
        Add
        .
      2. Enter a
        Name
        to identify the lower-layer firewall.
      3. Enter the
        Host
        name or IP address of the interface that you configured on the lower-layer firewall to respond to mapping information queries.
      4. Enter the
        Port
        number (default is 5007) on which the lower-layer firewall will listen for User-ID queries.
      5. Enter the
        Collector Name
        you specified when configuring the lower-layer firewall to act as a User-ID agent.
      6. Enter and confirm the
        Collector Pre-Shared Key
        you specified on the lower-layer firewall.
      7. Ensure the configuration is
        Enabled
        (default) and click
        OK
        .
      8. Check the Connected column to confirm the firewall you just added as a User-ID agent is connected (  connected.PNG  ).
    2. Configure a service route for the firewall to use for sending mapping information queries to firewalls in the layer below.
      1. Select
        Device
        Setup
        Services
        .
      2. (
        Firewalls with multiple virtual systems only
        ) Select
        Global
        (for a firewall-wide service route) or
        Virtual Systems
        (for a virtual system-specific service route). For details, refer to Customize Service Routes to Services for Virtual Systems.
      3. Click
        Service Route Configuration
        , select
        Customize
        , and select
        IPv4
        or
        IPv6
        depending on your network protocols. Configure the service route for both protocols if your network uses both.
      4. Select
        UID Agent
        and then select the
        Source Interface
        and
        Source Address
        .
      5. Click
        OK
        twice to save the service route.
    3. Enable the firewall to forward the mapping information to firewalls in the layer above.
      1. Configure an Interface Management profile with the
        User-ID
        service enabled and assign the profile to the interface you want the firewall to use when responding to mapping information queries from firewalls in the layer above.
    4. (
      Optional
      ) Configure policies specific to user accounts for which you want this firewall to aggregate mapping information from lower layers.
    5. Commit
      your changes.
  4. Enable each top-layer firewall to receive mapping information from all other layers.
    You must also perform this task for any firewall that is an end point in the redistribution sequence within a layer.
    In the example of Figure 1, you would perform this task for the two data center firewalls that receive mapping information from another data center firewall.
    1. (
      Optional
      ) Configure policies that are global to all user accounts.
    2. Commit
      your changes.
  5. Verify that the top-layer firewalls are aggregating mapping information from all other layers.
    This step samples a single user mapping that is collected in a bottom-layer firewall and forwarded to a top-layer firewall. Repeat the step for several user mappings and several firewalls to ensure your configuration is successful.
    1. Access the CLI of a bottom-layer firewall and run the following operational command:
      >
      show user ip-user-mapping all
    2. Record the IP address associated with any username.
    3. Access the CLI of a top-layer firewall and run the following command, where
      <address>
      is the IP address you recorded in the previous step:
      >
      show user ip-user-mapping ip
      <address>
      If the firewall successfully received the user mapping from the bottom-layer firewall, it displays output similar to the following and displays the same username as you recorded in the bottom-layer firewall.
      IP address:    192.0.2.0 (vsys1) User:          corpdomain\username1 From:          AD Idle Timeout:  2643s Max. TTL:      2643s Groups that the user belongs to (used in policy)

Recommended For You