Redistribute Data to Managed Firewalls

To ensure all the firewalls that enforce policies and generate reports have the required data and authentication timestamps for your policy rules, you can leverage your Panorama infrastructure to redistribute the mappings and timestamps.
  • Configure the Panorama management server to redistribute data.
    1. Add firewalls, virtual systems, or Windows User-ID agents as redistribution agents to Panorama:
      1. Select
        Panorama
        Data Redistribution
        and
        Add
        each redistribution agent.
      2. Enter a
        Name
        to identify the redistribution agent.
      3. Confirm that the agent is
        Enabled
        .
      4. Enter the
        Host
        name or IP address of the MGT interface on firewall.
      5. Enter the
        Port
        number on which the firewall will listen for data redistribution queries (default is 5007).
      6. If the redistribution agent is a firewall or virtual system, enter the
        Collector Name
        and
        Collector Pre-Shared Key
        .
      7. Select the
        Data type
        that you want to redistribute. You can select all data types, but you must select at least one of the following data types:
        • IP User Mappings
        • IP Tags
        • User Tags
        • HIP
        • Quarantine List
      8. Click
        OK
        to save the configuration.
    2. Enable the Panorama MGT interface to respond to data redistribution queries from firewalls:
      If the Panorama management server has a high availability (HA) configuration, perform this step on each HA peer as a best practice so that redistribution continues if Panorama fails over.
      1. Select
        Panorama
        Setup
        Interfaces
        and
        Management
        .
      2. Select
        User-ID
        in the Network Services section and click
        OK
        .
    3. Select
      Commit
      Commit to Panorama
      to activate your changes on Panorama.
  • Configure firewalls to receive data that Panorama redistributes.
    1. Select
      Device
      Data Redistribution
      Agents
      then select the
      Template
      to which the firewalls are assigned.
    2. Add
      an agent and enter a
      Name
      .
    3. Select how you want to add the agent:
      • Serial Number
        —Select the
        Serial Number
        of the Panorama you want to use from the list:
        • panorama
          —The active or solitary Panorama
        • panorama2
          —(
          HA only
          ) The passive Panorama
      • Host and Port
        —Specify the following information:
        • Select the
          Host
          name or IP address of the MGT interface on firewall.
        • Select whether the host is an
          LDAP Proxy
          .
        • Enter the
          Port
          number on which the firewall will listen for data redistribution queries (default is 5007).
        • If the redistribution agent is a firewall or virtual system, enter the
          Collector Name
          and
          Collector Pre-Shared Key
          .
        • Select the
          Data type
          that you want to redistribute.
    4. Confirm that the agent is
      Enabled
      and click
      OK
      to save the configuration.
    5. Select
      Commit
      Commit and Push
      to activate your changes on Panorama and push the changes to the firewalls.
  • Verify that Panorama and firewalls receive redistributed data.
    1. View the agent statistics
      Panorama
      Data Redistribution
      Agents
      and select
      Status
      to view a summary of the activity for the redistribution agent, such as the number of mappings that the client firewall has received.
    2. Confirm the
      Source Name
      in the User-ID logs (
      Monitor
      Logs
      User-ID
      ) to verify that the firewall receives the mappings from the redistribution agents.
    3. View the IP-Tag log (
      Monitor
      Logs
      IP-Tag
      ) to confirm that the client firewall receives data.
    4. Access the CLI of a firewall or Panorama management server that redistributes data.
    5. Display all the user mappings by running the following command:
      >
      show user ip-user-mapping all
    6. Record the IP address associated with any one username.
    7. Access the CLI of a firewall or Panorama management server that receives redistributed data.
    8. Display the mapping information and authentication timestamp for the
      <IP-address>
      you recorded:
      >
      show user ip-user-mapping ip
      <IP-address>
      IP address:    192.0.2.0 (vsys1) User:          corpdomain\username1 From:          UIA Idle Timeout:  10229s Max. TTL:      10229s MFA Timestamp: first(1) - 2016/12/09 08:35:04 Group(s): corpdomain\groupname(621)
      This example output shows the timestamp for a response to one authentication challenge (factor). For Authentication rules that use multi-factor authentication (MFA), the output shows multiple timestamps.

Recommended For You