Shared User-ID Mappings Across Virtual Systems
To easily enforce user-based policy in a multi-vsys environment, you can assign a virtual system as the User-ID hub to share mappings with other virtual systems.
To simplify User-ID source configuration if you have multiple virtual systems, you can now share user mappings across virtual systems. To share User-ID IP address-to-username mappings, choose a virtual system to use as a User-ID hub and consolidate all of the server monitoring configurations that you want to share on the hub.
The User-ID hub then collects the IP address-to-username mappings from the sources you configure and stores them in a centralized mapping table that is accessible to all other virtual systems on the firewall. If you have user information from specific monitored servers that you do not want to share across virtual systems, retain the server monitoring configuration on the individual virtual system instead of moving it to the hub.
When the firewall needs to identify the user to either enforce user-based policy or to include the username in a log or report, it first looks in the mapping table on the local virtual system. If it doesn’t find the mapping, it then checks the mapping table on the User-ID hub.
After you assign a virtual system as a User-ID hub and commit, all other virtual systems will have instantaneous access to the mappings on the User-ID hub. After you configure the User-ID hub, when a virtual system needs to identify a user for user-based policy enforcement or to display the user in a log or report, the virtual system can use the mapping table on the User-ID hub.
On the hub, you can configure any User-ID sources that are currently configured on a virtual system. However, IP-address-and-port-to-username mapping information from Terminal Server agents and group mappings are not shared between the User-ID hub and the connected virtual systems.
- Assign the virtual system as a User-ID
- Select DeviceVirtual Systems, then either select an existing virtual system or Add a virtual system.
- On the Resource tab, select Make this vsys a User-ID data hub.
- Click Yes to confirm, then click OK.
- For any existing virtual systems, transfer the configuration
for the User-ID sources you want to share (such as monitored servers
and User-ID agents) to the hub and then remove the duplicate sources
from the existing virtual systems.This consolidates the User-ID configuration for operational simplicity. By configuring the hub to monitor servers and connect to agents that were previously monitored by other virtual systems, the hub can now collect the user mapping information instead of having each virtual system collect it independently. If there are any mappings that you don’t want to share across virtual systems, leave the sources on a virtual system that will not be used as the hub.
- Commit the changes to enable the User-ID hub and begin collecting mappings for the consolidated sources.
- Confirm the User-ID hub is mapping the users by entering
the following commands:
- show user ip-user-mapping all—The
output displays the IP-address-to-username-mappings and which virtual
system provided the mappings.
admin@PA-5260> show user ip-user-mapping all IP Vsys From User IdleTimeout(s) MaxTimeout(s) --------------- ------------------- ------- --------------------- -------------- ------------- 192.0.2.0 vsys2 (User-ID Hub) UIA api-panorama\wrah51 Never Never 192.0.2.255 vsys1 UIA api-panorama\pvdi4d Never Never 198.51.100.0 vsys2 (User-ID Hub) UIA api-panorama\bvxfgz Never Never 198.51.100.255 vsys1 UIA api-panorama\e8r3k4 Never Never 203.0.113.0 vsys1 UIA api-panorama\4zr0l3 Never Never 203.0.113.255 vsys1 UIA api-panorama\cff4br Never Never ...
- show user user-id-agent state all—The output displays which virtual system is serving as the User-ID hub.
admin@PA-5260> show user user-id-agent state all...Agent: UIA-Win2012-panwqa-org(vsys: vsys2(User-ID Hub)) Host: 203.0.113.255...
- show user ip-user-mapping all—The output displays the IP-address-to-username-mappings and which virtual system provided the mappings.
Share User-ID Mappings Across Virtual Systems
To share IP address-to-username mappings across virtual systems, assign a virtual system as a User-ID hub. ...
Map IP Addresses to Users
Map IP Addresses to Users User-ID provides many different methods for mapping IP addresses to usernames. Before you begin configuring user mapping, consider where your ...
Deploy User-ID in a Large-Scale Network
Deploy User-ID in a Large-Scale Network A large-scale network can have hundreds of information sources that firewalls query to map IP addresses to usernames and ...
Configure Virtual Systems
Configure Virtual Systems Creating a virtual system requires that you have the following: A superuser administrative role. An interface configured. A Virtual Systems license if ...
PAN-OS 9.0 includes WinRM Support for Server Monitoring, Shared User-ID Mappings Across Virtual Systems, and User-ID Support for Large Numbers of Terminal Servers. ...
Virtual System Components and Segmentation
Virtual System Components and Segmentation A virtual system is an object that creates an administrative boundary, as shown in the following figure. A virtual system ...
Virtual System Functionality with Other Features
Virtual System Functionality with Other Features Many firewall features and functionality are capable of being configured, viewed, logged, or reported per virtual system. Therefore, virtual ...
Device > Virtual Systems
Device > Virtual Systems A virtual system (vsys) is an independent (virtual) firewall instance that you can separately manage within a physical firewall. Each vsys ...