Panorama and Log Collectors as User-ID Redistribution Points
You can now leverage your Panorama and distributed log collection infrastructure to redistribute User-ID mappings in large-scale deployments. Because the infrastructure will have existing connections from firewalls to Log Collectors to Panorama, you can aggregate the mappings on Panorama without the administrative hassle of setting up extra connections between firewalls. Panorama can then redistribute the aggregated mappings to the firewalls that you use to enforce policies and generate reports for all the users in your network. Each Panorama management server, Log Collector, and firewall can receive user mappings from up to 100 redistribution points. The redistribution points can be Windows-based User-ID agents or other Panorama management servers, Log Collectors, and firewalls.
You cannot redistribute group mapping information or redistribute user mapping information collected from Terminal Services (TS) agents.
- Configure the firewalls to redistribute mapping information.
- Log in to the Panorama web interface.
- Configure the firewalls to function as User-ID redistribution points—Select, select theDeviceUser IdentificationUser MappingTemplateto which the firewalls are assigned, edit the Palo Alto Networks User-ID Agent Setup, and configure theRedistributionsettings.
- Enable User-ID traffic on an interface that the firewall uses when responding to User-ID mapping queries from receiving devices (Log Collectors, in this example). You can use Panorama templates to perform this task for multiple firewalls.
- Configure each Log Collector to receive mapping information from firewalls and to redistribute the information to Panorama.
- Add the firewalls as redistribution points to the Log Collector—Select, edit the Log Collector, selectPanoramaManaged CollectorsUser-ID Agents, andAddeach firewall.
- Enable the management (MGT) interface of the Log Collector to respond to User-ID mapping queries from Panorama—SelectInterfaces, clickManagement, selectUser-IDin the Network Connectivity Services section, and clickOKtwice.
- Configure the Panorama management server to receive mapping information from Log Collectors and to redistribute the information.
- Add the Log Collectors as User-ID redistribution points to Panorama—SelectandPanoramaUser IdentificationAddeach Log Collector.Ignore theCollector NameandCollector Pre-Shared Keyfields; they apply only when the User-ID agent is a firewall, not a Log Collector.
- Enable the Panorama MGT interface to respond to User-ID mapping queries from the firewalls that enforce policies and generate reports—Select, clickPanoramaSetupInterfacesManagement, selectUser-IDin the Network Connectivity Services section, and clickOK.
- Configure the firewalls that enforce policies and generate reports to receive mapping information from Panorama.
- Select, select theDeviceUser IdentificationUser-ID AgentsTemplateto which the firewalls are assigned, andAddPanorama as a User-ID redistribution point.
- Selectto activate your changes on Panorama, the Log Collectors, and the firewalls.CommitCommit and Push
- Verify that firewalls receive the redistributed mapping information.This step samples a single user mapping redistributed to a single firewall. Repeat the step for several user mappings and several firewalls to ensure your configuration is successful.
- Access the CLI of a firewall that receives mappings from Windows-based User-ID agents or that uses its PAN-OS integrated User-ID agent to map IP addresses to usernames.
- Display all the user mappings on the firewall by running the following command:>show user ip-user-mapping all
- Record the IP address associated with any one username.
- Access the CLI of a top-layer firewall and run the following command, using the<IP-address>you recorded in the previous step:>show user ip-user-mapping ip<IP-address>If the firewall successfully received the user mapping, it displays output similar to the following, with the same username as you recorded in the middle-layer firewall.IP address: 192.0.2.0 (vsys1) User: corpdomain\username1 From: UIA Idle Timeout: 10229s Max. TTL: 10229s MFA Timestamp: first(1) - 2016/12/09 08:35:04 Group(s): corpdomain\groupname(621)