Panorama and Log Collectors as User-ID Redistribution Points
You can now leverage your Panorama and distributed log collection infrastructure to redistribute User-ID mappings in large-scale deployments. Because the infrastructure will have existing connections from firewalls to Log Collectors to Panorama, you can aggregate the mappings on Panorama without the administrative hassle of setting up extra connections between firewalls. Panorama can then redistribute the aggregated mappings to the firewalls that you use to enforce policies and generate reports for all the users in your network. Each Panorama management server, Log Collector, and firewall can receive user mappings from up to 100 redistribution points. The redistribution points can be Windows-based User-ID agents or other Panorama management servers, Log Collectors, and firewalls.
You cannot redistribute group mapping information or redistribute user mapping information collected from Terminal Services (TS) agents.
- Configure the firewalls to redistribute mapping
information.In this example procedure, you use Panorama to push configurations to the firewalls. Therefore, the firewalls must be managed devices.
- Log in to the Panorama web interface.
- Configure the firewalls to function as User-ID redistribution points—Select DeviceUser IdentificationUser Mapping, select the Template to which the firewalls are assigned, edit the Palo Alto Networks User-ID Agent Setup, and configure the Redistribution settings.
- Enable User-ID traffic on an interface that the firewall uses when responding to User-ID mapping queries from receiving devices (Log Collectors, in this example). You can use Panorama templates to perform this task for multiple firewalls.
- Configure each Log Collector to receive mapping information
from firewalls and to redistribute the information to Panorama.
- Add the firewalls as redistribution points to the Log Collector—Select PanoramaManaged Collectors, edit the Log Collector, select User-ID Agents, and Add each firewall.
- Enable the management (MGT) interface of the Log Collector to respond to User-ID mapping queries from Panorama—Select Interfaces, click Management, select User-ID in the Network Connectivity Services section, and click OK twice.
- Configure the Panorama management server to receive mapping
information from Log Collectors and to redistribute the information.
- Add the Log Collectors as User-ID redistribution
points to Panorama—Select PanoramaUser Identification and Add each
Log Collector.Ignore the Collector Name and Collector Pre-Shared Key fields; they apply only when the User-ID agent is a firewall, not a Log Collector.
- Enable the Panorama MGT interface to respond to User-ID mapping queries from the firewalls that enforce policies and generate reports—Select PanoramaSetupInterfaces, click Management, select User-ID in the Network Connectivity Services section, and click OK.
- Add the Log Collectors as User-ID redistribution points to Panorama—Select PanoramaUser Identification and Add each Log Collector.
- Configure the firewalls that enforce policies and generate
reports to receive mapping information from Panorama.
- Select DeviceUser IdentificationUser-ID Agents, select the Template to which the firewalls are assigned, and Add Panorama as a User-ID redistribution point.
- Select CommitCommit and Push to activate your changes on Panorama, the Log Collectors, and the firewalls.
- Verify that firewalls receive the redistributed mapping
information.This step samples a single user mapping redistributed to a single firewall. Repeat the step for several user mappings and several firewalls to ensure your configuration is successful.
- Access the CLI of a firewall that receives mappings from Windows-based User-ID agents or that uses its PAN-OS integrated User-ID agent to map IP addresses to usernames.
- Display all the user mappings on the firewall by running
the following command:
> show user ip-user-mapping all
- Record the IP address associated with any one username.
- Access the CLI of a top-layer firewall and run the
following command, using the <IP-address> you
recorded in the previous step:
> show user ip-user-mapping ip <IP-address>If the firewall successfully received the user mapping, it displays output similar to the following, with the same username as you recorded in the middle-layer firewall.
IP address: 192.0.2.0 (vsys1) User: corpdomain\username1 From: UIA Idle Timeout: 10229s Max. TTL: 10229s MFA Timestamp: first(1) - 2016/12/09 08:35:04 Group(s): corpdomain\groupname(621)
User-ID Redistribution Using Panorama
User-ID Redistribution Using Panorama One of the key benefits of the Palo Alto Networks firewall is that it can enforce policies and generate reports based ...
Redistribute User-ID Information to Managed Firewalls
Redistribute User-ID Information to Managed Firewalls To ensure all the firewalls that enforce policies and generate reports have the required IP address-to-username mappings and authentication ...
Device > User Identification > User-ID Agents
Device > User Identification > User-ID Agents To map usernames to IP addresses, User-ID agents monitor various sources, such as directory servers. The agents send ...
User-ID Agent Settings
User-ID Agent Settings Panorama > Managed Collectors > User-ID Agents A Dedicated Log Collector can receive user mappings from up to 100 User-ID agents. The ...
Configure Access to User-ID Agents
Configure Access to User-ID Agents Each firewall and Panorama management server can connect to a maximum of 100 User-ID agents or User-ID redistribution points (or ...
User-ID Features New User-ID Features Description Panorama and Log Collectors as User-ID Redistribution Points You can now leverage your Panorama™ and distributed log collection infrastructure ...
User-ID Features Panorama and Log Collectors as User-ID Redistribution Points Centralized Deployment and Management of User-ID and TS Agents User Groups Capacity Increase User-ID Syslog ...
Firewall Deployment for User-ID Redistribution
Firewall Deployment for User-ID Redistribution To aggregate User-ID information, organize the redistribution sequence in layers, where each layer has one or more firewalls. In the ...
Redistribute User Mappings and Authentication Timestamps
Redistribute User Mappings and Authentication Timestamps Every firewall that enforces user-based policy requires user mapping information. In a large-scale network, instead of configuring all your ...