Configure User-ID Redistribution

Before you configure User-ID redistribution:
  • Plan the redistribution architecture. Some factors to consider are:
    • Which firewalls will enforce policies for all users and which firewalls will enforce region- or function-specific policies for a subset of users?
    • How many hops does the redistribution sequence require to aggregate all User-ID information? The maximum allowed number of hops is ten.
    • How can you minimize the number of firewalls that query the user mapping information sources? The fewer the number of querying firewalls, the lower the processing load is on both the firewalls and sources.
Perform the following steps on the firewalls in the User-ID redistribution sequence.
  1. Configure the firewall to redistribute User-ID information.
    Skip this step if the firewall receives but does not redistribute User-ID information.
    1. Select
      Device
      User Identification
      User Mapping
      .
    2. (
      Firewalls with multiple virtual systems only
      ) Select the
      Location
      . You must configure the User-ID settings for each virtual system.
      You can redistribute information among virtual systems on different firewalls or on the same firewall. In both cases, each virtual system counts as one hop in the redistribution sequence.
    3. Edit the Palo Alto Networks User-ID Agent Setup and select
      Redistribution
      .
    4. Enter a
      Collector Name
      and
      Pre-Shared Key
      to identify this firewall or virtual system as a User-ID agent.
    5. Click
      OK
      to save your changes.
  2. Configure the service route that the firewall uses to query other firewalls for User-ID information.
    Skip this step if the firewall receives user mapping information from Windows-based User-ID agents or directly from the information sources (such as directory servers) instead of from other firewalls.
    1. Select
      Device
      Setup
      Services
      .
    2. (
      Firewalls with multiple virtual systems only
      ) Select
      Global
      (for a firewall-wide service route) or
      Virtual Systems
      (for a virtual system-specific service route), and then configure the service route.
    3. Click
      Service Route Configuration
      , select
      Customize
      , and select
      IPv4
      or
      IPv6
      based on your network protocols. Configure the service route for both protocols if your network uses both.
    4. Select
      UID Agent
      and then select the
      Source Interface
      and
      Source Address
      .
    5. Click
      OK
      twice to save the service route.
  3. Enable the firewall to respond when other firewalls query it for User-ID information.
    Skip this step if the firewall receives but does not redistribute User-ID information.
    Configure an Interface Management Profile with the
    User-ID
    service enabled and assign the profile to a firewall interface.
  4. Commit and verify your changes.
    1. Commit
      your changes to activate them.
    2. Access the CLI of a firewall that redistributes User-ID information.
    3. Display all the user mappings by running the following command:
      >
      show user ip-user-mapping all
    4. Record the IP address associated with any username.
    5. Access the CLI of a firewall that receives redistributed User-ID information.
    6. Display the mapping information and authentication timestamp for the
      <ip_address>
      you recorded:
      >
      show user ip-user-mapping
      <ip_address>
      IP address:    192.0.2.0 (vsys1) User:          corpdomain\username1 From:          UIA Idle Timeout:  10229s Max. TTL:      10229s MFA Timestamp: first(1) - 2016/12/09 08:35:04 Group(s): corpdomain\groupname(621)
      This example output shows the authentication timestamp for one response to an authentication challenge (factor). For Authentication policy rules that use Multi-Factor Authentication (MFA), the output shows multiple Authentication Timestamps.

Related Documentation