Configure User-ID Redistribution

Before you configure User-ID redistribution:
  • Plan the redistribution architecture. Some factors to consider are:
    • Which firewalls will enforce policies for all users and which firewalls will enforce region- or function-specific policies for a subset of users?
    • How many hops does the redistribution sequence require to aggregate all User-ID information? The maximum allowed number of hops is ten.
    • How can you minimize the number of firewalls that query the user mapping information sources? The fewer the number of querying firewalls, the lower the processing load is on both the firewalls and sources.
Perform the following steps on the firewalls in the User-ID redistribution sequence.
  1. Configure the firewall to redistribute User-ID information.
    Skip this step if the firewall receives but does not redistribute User-ID information.
    1. Select DeviceUser IdentificationUser Mapping.
    2. (Firewalls with multiple virtual systems only) Select the Location. You must configure the User-ID settings for each virtual system.
      You can redistribute information among virtual systems on different firewalls or on the same firewall. In both cases, each virtual system counts as one hop in the redistribution sequence.
    3. Edit the Palo Alto Networks User-ID Agent Setup and select Redistribution.
    4. Enter a Collector Name and Pre-Shared Key to identify this firewall or virtual system as a User-ID agent.
    5. Click OK to save your changes.
  2. Configure the service route that the firewall uses to query other firewalls for User-ID information.
    Skip this step if the firewall receives user mapping information from Windows-based User-ID agents or directly from the information sources (such as directory servers) instead of from other firewalls.
    1. Select DeviceSetupServices.
    2. (Firewalls with multiple virtual systems only) Select Global (for a firewall-wide service route) or Virtual Systems (for a virtual system-specific service route), and then configure the service route.
    3. Click Service Route Configuration, select Customize, and select IPv4 or IPv6 based on your network protocols. Configure the service route for both protocols if your network uses both.
    4. Select UID Agent and then select the Source Interface and Source Address.
    5. Click OK twice to save the service route.
  3. Enable the firewall to respond when other firewalls query it for User-ID information.
    Skip this step if the firewall receives but does not redistribute User-ID information.
    Configure an Interface Management Profile with the User-ID service enabled and assign the profile to a firewall interface.
  4. Commit and verify your changes.
    1. Commit your changes to activate them.
    2. Access the CLI of a firewall that redistributes User-ID information.
    3. Display all the user mappings by running the following command:
      > show user ip-user-mapping all
    4. Record the IP address associated with any username.
    5. Access the CLI of a firewall that receives redistributed User-ID information.
    6. Display the mapping information and authentication timestamp for the <ip_address> you recorded:
      > show user ip-user-mapping<ip_address> 
      IP address:    192.0.2.0 (vsys1) 
      User:          corpdomain\username1 
      From:          UIA 
      Idle Timeout:  10229s 
      Max. TTL:      10229s 
      MFA Timestamp: first(1) - 2016/12/09 08:35:04 
      Group(s):      corpdomain\groupname(621) 
      This example output shows the authentication timestamp for one response to an authentication challenge (factor). For Authentication policy rules that use Multi-Factor Authentication (MFA), the output shows multiple Authentication Timestamps.

Related Documentation