Configure Access to User-ID Agents
Each firewall and Panorama management server can connect to a maximum of 100 User-ID agents or User-ID redistribution points (or a mixture of both). To add a connection, click
Addand complete the following fields.
User-ID Agent Settings
Enter a descriptive name (up to 31 characters) for the User-ID agent or redistribution point. The name is case-sensitive and must be unique. Use only letters, numbers, spaces, hyphens, and underscores.
Add an Agent Using
Select how the firewall identifies the User-ID agent or redistribution point:
Serial Number (
Select the Panorama management server that redistributes user mappings to the firewall. For high availability (HA) deployments, you can select the active Panorama (
panorama) or the passive Panorama (
You do not need to specify the host, port, or other connection information because you defined these during initial configuration of the firewall.
Enter the port number on which the User-ID agent listens for User-ID requests. The default is 5007 but you can specify any available port and different User-ID agents can use different ports.
The default port for some earlier versions of the User-ID agent is 2010.
Pre-Shared Keythat identify the firewall or virtual system as a User-ID agent. Enter the same values as when you configured the firewall or virtual system to redistribute user mappings (see Redistribution).
The collector these fields refer to is the User-ID agent, not a Log Collector, and the fields are configurable only when the agent is a firewall or virtual system.
Collector Pre-shared Key / Confirm Collector Pre-shared key
Use as LDAP Proxy
Select this option to use this User-ID agent as a proxy for monitoring the directory server to map usernames to groups. To use this option, you must configure group mapping on the firewall (Device > User Identification > Group Mapping Settings). The firewall pushes that configuration to the User-ID agent to enable it to map usernames to groups.
This option is useful in deployments where the firewall cannot directly access the directory server. It is also useful in deployments that benefit from reducing the number of queries the directory server must process; multiple firewalls can receive the group mapping information from the cache on a single User-ID agent instead of requiring each firewall to query the server directly.
Use for NTLM Authentication
Select this option to use this User-ID agent as a proxy for performing NT LAN Manager (NTLM) authentication when a client web request matches an Authentication policy rule. The User-ID agent monitors the domain controller for user mapping information and forwards the information to the firewall. To use this option, you must also enable NTLM Authentication on the User-ID agent.
This option is useful in deployments where the firewall cannot directly access the domain controller to perform NTLM authentication. It is also useful in deployments that benefit from reducing the number of authentication requests the domain controller must process; multiple firewalls can receive the user mapping information from the cache on a single User-ID agent instead of requiring each firewall to query the domain controller directly.
Configure Authentication rules to use Kerberos single sign-on instead of NTLM authentication. Kerberos is a stronger, more robust authentication method than NTLM and does not require the firewall to have an administrative account to join the domain. For details on configuring the authentication methods for Authentication rules, see Objects > Authentication.
Select this option to enable the firewall or Panorama to communicate with the User-ID agent or redistribution point.
Select this option to enable this firewall to receive HIP reports from other firewalls that are configured as User-ID agents (including GlobalProtect gateways, Distributed Log Collectors (DLCs), firewalls, and Panorama). The firewall can then use the information in the HIP reports for HIP-based policy enforcement.