Configure User-ID Redistribution
- Plan the redistribution architecture.
- Determine the most efficient Firewall Deployment for User-ID Redistribution. Some factors to consider are:
- Which firewalls will enforce global policies for all users and which firewalls will enforce region- or function-specific policies for a subset of users?
- How many hops does the redistribution sequence require to aggregate mapping information for firewalls in different functional or regional layers to enforce policy?
- How can you minimize the number of firewalls that query the information sources? The fewer the number of querying firewalls, the lower the processing load is on both the firewalls and sources.
- Configure the User-ID agents to perform the user mapping.
- Enable each bottom-layer firewall to forward mapping information to firewalls in the layer above.
- Configure the firewall to function as a User-ID agent.
- Select.DeviceUser IdentificationUser Mapping
- (Firewalls with multiple virtual systems only) Select theLocation. You must configure the User-ID settings for each virtual system.You can redistribute mapping information among virtual systems on different firewalls or on the same firewall. In both cases, each virtual system counts as one hop in the redistribution sequence.
- Edit the Palo Alto Networks User-ID Agent Setup and selectRedistribution.
- Enter aCollector Nameto identify this firewall as a User-ID agent.
- Enter and confirm aPre-Shared Keyto secure communication between this firewall and the higher-layer firewalls. On a multi-vsys firewall, each vsys requires a unique pre-shared key.
- Configure an Interface Management profile with theUser-IDservice enabled and assign the profile to the interface you want the firewall to use when responding to mapping information queries from firewalls in the layer above.
- (Optional) Configure policies that are specific to the user accounts for which you want this firewall to collect mapping information.
- Commityour changes.
- Enable each middle layer firewall to receive mapping information from the layer below and forward it to the layer above.You must also perform this task for any firewall that redistributes mapping information to other firewalls in the same layer. For example, Figure 1 shows one data center firewall that redistributes to other data center firewalls.Each firewall can receive mapping information from up to 100 User-ID agents.
- Configure the firewall to receive mapping information from firewalls acting as User-ID agents in the layer below.
- Selectand clickDeviceUser IdentificationUser-ID AgentsAdd.
- Enter aNameto identify the lower-layer firewall.
- Enter theHostname or IP address of the interface that you configured on the lower-layer firewall to respond to mapping information queries.
- Enter thePortnumber (default is 5007) on which the lower-layer firewall will listen for User-ID queries.
- Enter theCollector Nameyou specified when configuring the lower-layer firewall to act as a User-ID agent.
- Enter and confirm theCollector Pre-Shared Keyyou specified on the lower-layer firewall.
- Ensure the configuration isEnabled(default) and clickOK.
- Check the Connected column to confirm the firewall you just added as a User-ID agent is connected ( ).
- Configure a service route for the firewall to use for sending mapping information queries to firewalls in the layer below.
- (Firewalls with multiple virtual systems only) SelectGlobal(for a firewall-wide service route) orVirtual Systems(for a virtual system-specific service route). For details, refer to Customize Service Routes to Services for Virtual Systems.
- ClickService Route Configuration, selectCustomize, and selectIPv4orIPv6depending on your network protocols. Configure the service route for both protocols if your network uses both.
- SelectUID Agentand then select theSource InterfaceandSource Address.
- ClickOKtwice to save the service route.
- Enable the firewall to forward the mapping information to firewalls in the layer above.
- (Optional) Configure policies specific to user accounts for which you want this firewall to aggregate mapping information from lower layers.
- Commityour changes.
- Enable each top-layer firewall to receive mapping information from all other layers.You must also perform this task for any firewall that is an end point in the redistribution sequence within a layer.In the example of Figure 1, you would perform this task for the two data center firewalls that receive mapping information from another data center firewall.
- Verify that the top-layer firewalls are aggregating mapping information from all other layers.This step samples a single user mapping that is collected in a bottom-layer firewall and forwarded to a top-layer firewall. Repeat the step for several user mappings and several firewalls to ensure your configuration is successful.
- Access the CLI of a bottom-layer firewall and run the following operational command:>show user ip-user-mapping all
- Record the IP address associated with any username.
- Access the CLI of a top-layer firewall and run the following command, where<address>is the IP address you recorded in the previous step:>show user ip-user-mapping ip<address>If the firewall successfully received the user mapping from the bottom-layer firewall, it displays output similar to the following and displays the same username as you recorded in the bottom-layer firewall.IP address: 192.0.2.0 (vsys1) User: corpdomain\username1 From: AD Idle Timeout: 2643s Max. TTL: 2643s Groups that the user belongs to (used in policy)
Recommended For You
Recommended videos not found.