Share User-ID Mappings Across Virtual Systems
To share IP address-to-username mappings across virtual systems, assign a virtual system as a User-ID hub.
To simplify User-ID source configuration if you have multiple virtual systems, you can configure the User-ID sources on a single virtual system to share IP address-to-username mappings with all other virtual systems on the firewall.
Configuring a single virtual system as a User-ID hub simplifies user mapping by eliminating the need to configure the sources on multiple virtual systems, especially if a user’s traffic will pass through multiple virtual systems based on the resources the user is trying to access (for example, in an academic networking environment where a student will be accessing different departments whose traffic is managed by different virtual systems).
To map the user, the firewall uses the mapping table on the local virtual system and applies the policy for that user. If the firewall does not find the mapping for a user on the virtual system where that user’s traffic originated, the firewall queries the hub to fetch the IP-address-to-username information for that user. If the firewall locates the mapping on both the User-ID hub and the local virtual system, the firewall uses the mapping it learns locally.
After you configure the User-ID hub, when a virtual system needs to identify a user for user-based policy enforcement or to display the username in a log or report and the source is not available locally, the virtual system can use the mapping table on the User-ID hub. When you select a hub, the firewall retains the mappings on other virtual systems, so we recommend consolidating the User-ID sources on the hub. If you don’t want to share mappings from a specific source, you can configure an individual virtual system to perform user mapping.
- Assign the virtual system as a User-ID hub.
- Select DeviceVirtual Systems, then select the virtual system where you consolidated your User-ID sources.
- On the Resource tab, select Make this vsys a User-ID data hub, click Yes to confirm, then click OK.
- Consolidate your User-ID sources and migrate them to
the virtual system that you want to use as a User-ID hub. This consolidates the User-ID configuration for operational simplicity. By configuring the hub to monitor servers and connect to agents that were previously monitored by other virtual systems, the hub collects the user mapping information instead of having each virtual system collect it independently. If you don’t want to share mappings from a specific virtual systems, configure those mappings on a virtual system that will not be used as the hub.
- Remove any sources that are unnecessary or outdated.
- Manually copy any configurations for your Windows-based or integrated agents and
any sources that send user mappings using the XML API to the virtual system
you want to use as a User-ID hub.On the hub, you can configure any User-ID source that is currently configured on a virtual system. However, IP-address-and-port-to-username mapping information from Terminal Server agents and group mappings are not shared between the User-ID hub and the connected virtual systems.
- Specify the subnetworks that User-ID should include in or exclude from mapping.
- Define the Ignore User List.
- On all other virtual systems, remove any sources that are on the User-ID hub.
- Commit the changes to enable the User-ID hub and begin collecting mappings for the consolidated sources.
- Confirm the User-ID hub is mapping the users.
- Use the show user ip-user-mapping all command to show the IP-address-to-username mappings and which virtual system provides the mappings.
- Use the show user user-id-agent statistics command to show which virtual system is serving as the User-ID hub.
Shared User-ID Mappings Across Virtual Systems
To easily enforce user-based policy in a multi-vsys environment, you can assign a virtual system as the User-ID hub to share mappings with other virtual ...
Deploy User-ID in a Large-Scale Network
Deploy User-ID in a Large-Scale Network A large-scale network can have hundreds of information sources that firewalls query to map IP addresses to usernames and ...
Map IP Addresses to Users
Map IP Addresses to Users User-ID provides many different methods for mapping IP addresses to usernames. Before you begin configuring user mapping, consider where your ...
Virtual System Components and Segmentation
Virtual System Components and Segmentation A virtual system is an object that creates an administrative boundary, as shown in the following figure. A virtual system ...
Configure Virtual Systems
Configure Virtual Systems Creating a virtual system requires that you have the following: A superuser administrative role. An interface configured. A Virtual Systems license if ...
Virtual System Functionality with Other Features
Virtual System Functionality with Other Features Many firewall features and functionality are capable of being configured, viewed, logged, or reported per virtual system. Therefore, virtual ...
PAN-OS 9.0 includes WinRM Support for Server Monitoring, Shared User-ID Mappings Across Virtual Systems, and User-ID Support for Large Numbers of Terminal Servers. ...
Configure User-ID Redistribution
Configure User-ID Redistribution Before you configure User-ID redistribution: Plan the redistribution architecture. Some factors to consider are: Which firewalls will enforce policies for all users ...
Benefits of Virtual Systems
Benefits of Virtual Systems Virtual systems provide the same basic functions as a physical firewall, along with additional benefits: Segmented administration —Different organizations (or customers ...