Panorama and Log Collectors as User-ID Redistribution Points

You can now leverage your Panorama and distributed log collection infrastructure to redistribute User-ID mappings in large-scale deployments. Because the infrastructure will have existing connections from firewalls to Log Collectors to Panorama, you can aggregate the mappings on Panorama without the administrative hassle of setting up extra connections between firewalls. Panorama can then redistribute the aggregated mappings to the firewalls that you use to enforce policies and generate reports for all the users in your network. Each Panorama management server, Log Collector, and firewall can receive user mappings from up to 100 redistribution points. The redistribution points can be Windows-based User-ID agents or other Panorama management servers, Log Collectors, and firewalls.
You cannot redistribute group mapping information or redistribute user mapping information collected from Terminal Services (TS) agents.
Panorama and Log Collectors as User-ID Redistribution Points
Panorama_User-ID_Redistribution.png
  1. Configure the firewalls to redistribute mapping information.
    In this example procedure, you use Panorama to push configurations to the firewalls. Therefore, the firewalls must be managed devices.
    1. Log in to the Panorama web interface.
    2. Configure the firewalls to function as User-ID redistribution points—Select
      Device
      User Identification
      User Mapping
      , select the
      Template
      to which the firewalls are assigned, edit the Palo Alto Networks User-ID Agent Setup, and configure the
      Redistribution
      settings.
      firewall_user-id_agent.png
    3. Enable User-ID traffic on an interface that the firewall uses when responding to User-ID mapping queries from receiving devices (Log Collectors, in this example). You can use Panorama templates to perform this task for multiple firewalls.
  2. Configure each Log Collector to receive mapping information from firewalls and to redistribute the information to Panorama.
    1. Add the firewalls as redistribution points to the Log Collector—Select
      Panorama
      Managed Collectors
      , edit the Log Collector, select
      User-ID Agents
      , and
      Add
      each firewall.
      LC_with_FW_UID-agent.png
    2. Enable the management (MGT) interface of the Log Collector to respond to User-ID mapping queries from Panorama—Select
      Interfaces
      , click
      Management
      , select
      User-ID
      in the Network Connectivity Services section, and click
      OK
      twice.
  3. Configure the Panorama management server to receive mapping information from Log Collectors and to redistribute the information.
    1. Add the Log Collectors as User-ID redistribution points to Panorama—Select
      Panorama
      User Identification
      and
      Add
      each Log Collector.
      Ignore the
      Collector Name
      and
      Collector Pre-Shared Key
      fields; they apply only when the User-ID agent is a firewall, not a Log Collector.
    2. Enable the Panorama MGT interface to respond to User-ID mapping queries from the firewalls that enforce policies and generate reports—Select
      Panorama
      Setup
      Interfaces
      , click
      Management
      , select
      User-ID
      in the Network Connectivity Services section, and click
      OK
      .
  4. Configure the firewalls that enforce policies and generate reports to receive mapping information from Panorama.
    1. Select
      Device
      User Identification
      User-ID Agents
      , select the
      Template
      to which the firewalls are assigned, and
      Add
      Panorama as a User-ID redistribution point.
      panorama_user-id_agent.png
    2. Select
      Commit
      Commit and Push
      to activate your changes on Panorama, the Log Collectors, and the firewalls.
  5. Verify that firewalls receive the redistributed mapping information.
    This step samples a single user mapping redistributed to a single firewall. Repeat the step for several user mappings and several firewalls to ensure your configuration is successful.
    1. Access the CLI of a firewall that receives mappings from Windows-based User-ID agents or that uses its PAN-OS integrated User-ID agent to map IP addresses to usernames.
    2. Display all the user mappings on the firewall by running the following command:
      >
      show user ip-user-mapping all
    3. Record the IP address associated with any one username.
    4. Access the CLI of a top-layer firewall and run the following command, using the
      <IP-address>
      you recorded in the previous step:
      >
      show user ip-user-mapping ip
      <IP-address>
      If the firewall successfully received the user mapping, it displays output similar to the following, with the same username as you recorded in the middle-layer firewall.
      IP address:    192.0.2.0 (vsys1) User:          corpdomain\username1 From:          UIA Idle Timeout:  10229s Max. TTL:      10229s MFA Timestamp: first(1) - 2016/12/09 08:35:04 Group(s): corpdomain\groupname(621)

Related Documentation