Panorama and Log Collectors as User-ID Redistribution Points

You can now leverage your Panorama and distributed log collection infrastructure to redistribute User-ID mappings in large-scale deployments. Because the infrastructure will have existing connections from firewalls to Log Collectors to Panorama, you can aggregate the mappings on Panorama without the administrative hassle of setting up extra connections between firewalls. Panorama can then redistribute the aggregated mappings to the firewalls that you use to enforce policies and generate reports for all the users in your network. Each Panorama management server, Log Collector, and firewall can receive user mappings from up to 100 redistribution points. The redistribution points can be Windows-based User-ID agents or other Panorama management servers, Log Collectors, and firewalls.
You cannot redistribute group mapping information or redistribute user mapping information collected from Terminal Services (TS) agents.
Panorama and Log Collectors as User-ID Redistribution Points
Panorama_User-ID_Redistribution.png
  1. Configure the firewalls to redistribute mapping information.
    In this example procedure, you use Panorama to push configurations to the firewalls. Therefore, the firewalls must be managed devices.
    1. Log in to the Panorama web interface.
    2. Configure the firewalls to function as User-ID redistribution points—Select DeviceUser IdentificationUser Mapping, select the Template to which the firewalls are assigned, edit the Palo Alto Networks User-ID Agent Setup, and configure the Redistribution settings.
      firewall_user-id_agent.png
    3. Enable User-ID traffic on an interface that the firewall uses when responding to User-ID mapping queries from receiving devices (Log Collectors, in this example). You can use Panorama templates to perform this task for multiple firewalls.
  2. Configure each Log Collector to receive mapping information from firewalls and to redistribute the information to Panorama.
    1. Add the firewalls as redistribution points to the Log Collector—Select PanoramaManaged Collectors, edit the Log Collector, select User-ID Agents, and Add each firewall.
      LC_with_FW_UID-agent.png
    2. Enable the management (MGT) interface of the Log Collector to respond to User-ID mapping queries from Panorama—Select Interfaces, click Management, select User-ID in the Network Connectivity Services section, and click OK twice.
  3. Configure the Panorama management server to receive mapping information from Log Collectors and to redistribute the information.
    1. Add the Log Collectors as User-ID redistribution points to Panorama—Select PanoramaUser Identification and Add each Log Collector.
      Ignore the Collector Name and Collector Pre-Shared Key fields; they apply only when the User-ID agent is a firewall, not a Log Collector.
    2. Enable the Panorama MGT interface to respond to User-ID mapping queries from the firewalls that enforce policies and generate reports—Select PanoramaSetupInterfaces, click Management, select User-ID in the Network Connectivity Services section, and click OK.
  4. Configure the firewalls that enforce policies and generate reports to receive mapping information from Panorama.
    1. Select DeviceUser IdentificationUser-ID Agents, select the Template to which the firewalls are assigned, and Add Panorama as a User-ID redistribution point.
      panorama_user-id_agent.png
    2. Select CommitCommit and Push to activate your changes on Panorama, the Log Collectors, and the firewalls.
  5. Verify that firewalls receive the redistributed mapping information.
    This step samples a single user mapping redistributed to a single firewall. Repeat the step for several user mappings and several firewalls to ensure your configuration is successful.
    1. Access the CLI of a firewall that receives mappings from Windows-based User-ID agents or that uses its PAN-OS integrated User-ID agent to map IP addresses to usernames.
    2. Display all the user mappings on the firewall by running the following command:
      > show user ip-user-mapping all
    3. Record the IP address associated with any one username.
    4. Access the CLI of a top-layer firewall and run the following command, using the <IP-address> you recorded in the previous step:
      > show user ip-user-mapping ip <IP-address>
      If the firewall successfully received the user mapping, it displays output similar to the following, with the same username as you recorded in the middle-layer firewall.
      IP address:    192.0.2.0 (vsys1) 
      User:          corpdomain\username1 
      From:          UIA 
      Idle Timeout:  10229s 
      Max. TTL:      10229s 
      MFA Timestamp: first(1) - 2016/12/09 08:35:04 
      Group(s):      corpdomain\groupname(621) 

Related Documentation