Shared User-ID Mappings Across Virtual Systems

To easily enforce user-based policy in a multi-vsys environment, you can assign a virtual system as the User-ID hub to share mappings with other virtual systems.
To simplify User-ID source configuration if you have multiple virtual systems, you can now share user mappings across virtual systems. To share User-ID IP address-to-username mappings, choose a virtual system to use as a User-ID hub and consolidate all of the server monitoring configurations that you want to share on the hub.
The User-ID hub then collects the IP address-to-username mappings from the sources you configure and stores them in a centralized mapping table that is accessible to all other virtual systems on the firewall. If you have user information from specific monitored servers that you do not want to share across virtual systems, retain the server monitoring configuration on the individual virtual system instead of moving it to the hub.
When the firewall needs to identify the user to either enforce user-based policy or to include the username in a log or report, it first looks in the mapping table on the local virtual system. If it doesn’t find the mapping, it then checks the mapping table on the User-ID hub.
After you assign a virtual system as a User-ID hub and commit, all other virtual systems will have instantaneous access to the mappings on the User-ID hub. After you configure the User-ID hub, when a virtual system needs to identify a user for user-based policy enforcement or to display the user in a log or report, the virtual system can use the mapping table on the User-ID hub.
On the hub, you can configure any User-ID sources that are currently configured on a virtual system. However, IP-address-and-port-to-username mapping information from Terminal Server agents and group mappings are not shared between the User-ID hub and the connected virtual systems.
  1. Assign the virtual system as a User-ID hub.
    1. Select DeviceVirtual Systems, then either select an existing virtual system or Add a virtual system.
    2. On the Resource tab, select Make this vsys a User-ID data hub.
      vsys-make-this-vsys-a-user-id-data-hub.png
    3. Click Yes to confirm, then click OK.
      vsys-confirm-hub-selection.png
  2. For any existing virtual systems, transfer the configuration for the User-ID sources you want to share (such as monitored servers and User-ID agents) to the hub and then remove the duplicate sources from the existing virtual systems.
    This consolidates the User-ID configuration for operational simplicity. By configuring the hub to monitor servers and connect to agents that were previously monitored by other virtual systems, the hub can now collect the user mapping information instead of having each virtual system collect it independently. If there are any mappings that you don’t want to share across virtual systems, leave the sources on a virtual system that will not be used as the hub.
  3. Commit the changes to enable the User-ID hub and begin collecting mappings for the consolidated sources.
  4. Confirm the User-ID hub is mapping the users by entering the following commands:
    • show user ip-user-mapping all—The output displays the IP-address-to-username-mappings and which virtual system provided the mappings.
      admin@PA-5260> show user ip-user-mapping all 
      
      IP                Vsys               From    User                  IdleTimeout(s) MaxTimeout(s)
      --------------- ------------------- ------- ---------------------  -------------- -------------
      192.0.2.0        vsys2 (User-ID Hub) UIA     api-panorama\wrah51    Never          Never
      192.0.2.255      vsys1               UIA     api-panorama\pvdi4d    Never          Never
      198.51.100.0     vsys2 (User-ID Hub) UIA     api-panorama\bvxfgz    Never          Never
      198.51.100.255   vsys1               UIA     api-panorama\e8r3k4    Never          Never
      203.0.113.0      vsys1               UIA     api-panorama\4zr0l3    Never          Never
      203.0.113.255    vsys1               UIA     api-panorama\cff4br    Never          Never
      ...
    • show user user-id-agent state all—The output displays which virtual system is serving as the User-ID hub.
      admin@PA-5260> show user user-id-agent state all...Agent: UIA-Win2012-panwqa-org(vsys:
      vsys2(User-ID Hub)) Host: 203.0.113.255...

Related Documentation