Panorama and Log Collectors as User-ID Redistribution Points
You can now leverage your Panorama and distributed
log collection infrastructure to redistribute User-ID mappings in
large-scale deployments. Because the infrastructure will have existing
connections from firewalls to Log Collectors to Panorama, you can
aggregate the mappings on Panorama without the administrative hassle
of setting up extra connections between firewalls. Panorama can
then redistribute the aggregated mappings to the firewalls that
you use to enforce policies and generate reports for all the users in
your network. Each Panorama management server, Log Collector, and
firewall can receive user mappings from up to 100 redistribution
points. The redistribution points can be Windows-based User-ID agents
or other Panorama management servers, Log Collectors, and firewalls.
You
cannot redistribute group mapping information or redistribute user
mapping information collected from Terminal Services (TS) agents.
Panorama and Log Collectors as User-ID
Redistribution Points
- Configure the firewalls to redistribute mapping information.In this example procedure, you use Panorama to push configurations to the firewalls. Therefore, the firewalls must be managed devices.
- Log in to the Panorama web interface.
- Configure the firewalls to function as User-ID redistribution points—Select , select theTemplateto which the firewalls are assigned, edit the Palo Alto Networks User-ID Agent Setup, and configure theRedistributionsettings.
- Enable User-ID traffic on an interface that the firewall uses when responding to User-ID mapping queries from receiving devices (Log Collectors, in this example). You can use Panorama templates to perform this task for multiple firewalls.
- Configure each Log Collector to receive mapping information from firewalls and to redistribute the information to Panorama.
- Add the firewalls as redistribution points to the Log Collector—Select , edit the Log Collector, selectUser-ID Agents, andAddeach firewall.
- Enable the management (MGT) interface of the Log Collector to respond to User-ID mapping queries from Panorama—SelectInterfaces, clickManagement, selectUser-IDin the Network Connectivity Services section, and clickOKtwice.
- Configure the Panorama management server to receive mapping information from Log Collectors and to redistribute the information.
- Add the Log Collectors as User-ID redistribution points to Panorama—Select andAddeach Log Collector.Ignore theCollector NameandCollector Pre-Shared Keyfields; they apply only when the User-ID agent is a firewall, not a Log Collector.
- Enable the Panorama MGT interface to respond to User-ID mapping queries from the firewalls that enforce policies and generate reports—Select , clickManagement, selectUser-IDin the Network Connectivity Services section, and clickOK.
- Configure the firewalls that enforce policies and generate reports to receive mapping information from Panorama.
- Select , select theTemplateto which the firewalls are assigned, andAddPanorama as a User-ID redistribution point.
- Select to activate your changes on Panorama, the Log Collectors, and the firewalls.
- Verify that firewalls receive the redistributed mapping information.This step samples a single user mapping redistributed to a single firewall. Repeat the step for several user mappings and several firewalls to ensure your configuration is successful.
- Access the CLI of a firewall that receives mappings from Windows-based User-ID agents or that uses its PAN-OS integrated User-ID agent to map IP addresses to usernames.
- Display all the user mappings on the firewall by running the following command:>show user ip-user-mapping all
- Record the IP address associated with any one username.
- Access the CLI of a top-layer firewall and run the following command, using the<IP-address>you recorded in the previous step:>show user ip-user-mapping ip<IP-address>If the firewall successfully received the user mapping, it displays output similar to the following, with the same username as you recorded in the middle-layer firewall.IP address: 192.0.2.0 (vsys1) User: corpdomain\username1 From: UIA Idle Timeout: 10229s Max. TTL: 10229s MFA Timestamp: first(1) - 2016/12/09 08:35:04 Group(s): corpdomain\groupname(621)
