Configure User-ID Redistribution
Before you configure User-ID redistribution:
- Plan the redistribution architecture. Some factors to consider are:
- Which firewalls will enforce policies for all users and which firewalls will enforce region- or function-specific policies for a subset of users?
- How many hops does the redistribution sequence require to aggregate all User-ID information? The maximum allowed number of hops is ten.
- How can you minimize the number of firewalls that query the user mapping information sources? The fewer the number of querying firewalls, the lower the processing load is on both the firewalls and sources.
Perform the following steps on the firewalls in the User-ID redistribution sequence.
- Configure the firewall to redistribute User-ID information.Skip this step if the firewall receives but does not redistribute User-ID information.
- Select.DeviceUser IdentificationUser Mapping
- (Firewalls with multiple virtual systems only) Select theLocation. You must configure the User-ID settings for each virtual system.You can redistribute information among virtual systems on different firewalls or on the same firewall. In both cases, each virtual system counts as one hop in the redistribution sequence.
- Edit the Palo Alto Networks User-ID Agent Setup and selectRedistribution.
- Enter aCollector NameandPre-Shared Keyto identify this firewall or virtual system as a User-ID agent.
- ClickOKto save your changes.
- Configure the service route that the firewall uses to query other firewalls for User-ID information.Skip this step if the firewall receives user mapping information from Windows-based User-ID agents or directly from the information sources (such as directory servers) instead of from other firewalls.
- (Firewalls with multiple virtual systems only) SelectGlobal(for a firewall-wide service route) orVirtual Systems(for a virtual system-specific service route), and then configure the service route.
- ClickService Route Configuration, selectCustomize, and selectIPv4orIPv6based on your network protocols. Configure the service route for both protocols if your network uses both.
- SelectUID Agentand then select theSource InterfaceandSource Address.
- ClickOKtwice to save the service route.
- Enable the firewall to respond when other firewalls query it for User-ID information.Skip this step if the firewall receives but does not redistribute User-ID information.Configure an Interface Management Profile with theUser-IDservice enabled and assign the profile to a firewall interface.
- Commit and verify your changes.
- Commityour changes to activate them.
- Access the CLI of a firewall that redistributes User-ID information.
- Display all the user mappings by running the following command:>show user ip-user-mapping all
- Record the IP address associated with any username.
- Access the CLI of a firewall that receives redistributed User-ID information.
- Display the mapping information and authentication timestamp for the<ip_address>you recorded:>show user ip-user-mapping<ip_address>IP address: 192.0.2.0 (vsys1) User: corpdomain\username1 From: UIA Idle Timeout: 10229s Max. TTL: 10229s MFA Timestamp: first(1) - 2016/12/09 08:35:04 Group(s): corpdomain\groupname(621)
Redistribute User-ID Information to Managed Firewalls
Redistribute User-ID Information to Managed Firewalls To ensure all the firewalls that enforce policies and generate reports have the required IP address-to-username mappings and authentication ...
Redistribute User Mappings and Authentication Timestamps
Redistribute User Mappings and Authentication Timestamps Every firewall that enforces user-based policy requires user mapping information. In a large-scale network, instead of configuring all your ...
Deploy User-ID in a Large-Scale Network
Deploy User-ID in a Large-Scale Network A large-scale network can have hundreds of information sources that firewalls query to map IP addresses to usernames and ...
User-ID Redistribution Using Panorama
User-ID Redistribution Using Panorama One of the key benefits of the Palo Alto Networks firewall is that it can enforce policies and generate reports based ...
Redistribution Device User Identification User Mapping Palo Alto Networks User-ID Agent Setup Redistribution To enable a firewall or virtual system to serve as a User-ID ...
Firewall Deployment for User-ID Redistribution
Firewall Deployment for User-ID Redistribution To aggregate User-ID information, organize the redistribution sequence in layers, where each layer has one or more firewalls. In the ...
Configure Access to User-ID Agents
Configure Access to User-ID Agents Each firewall and Panorama management server can connect to a maximum of 100 User-ID agents or User-ID redistribution points (or ...
User-ID Agent Settings
User-ID Agent Settings Panorama > Managed Collectors > User-ID Agents A Dedicated Log Collector can receive user mappings from up to 100 User-ID agents. The ...
Palo Alto Networks User-ID Agent Setup
These settings define the methods that the User-ID agent uses to perform user mapping. ...