Redistribute Data to Managed Firewalls
To ensure all the firewalls that enforce policies and generate reports have the required data and authentication timestamps for your policy rules, you can leverage your Panorama infrastructure to redistribute the mappings and timestamps.
- Configure the Panorama management server to redistribute data.
- Add firewalls, virtual systems, or Windows User-ID agents as redistribution agents to Panorama:
- SelectandPanoramaData RedistributionAddeach redistribution agent.
- Enter aNameto identify the redistribution agent.
- Confirm that the agent isEnabled.
- Enter theHostname or IP address of the MGT interface on firewall.
- Enter thePortnumber on which the firewall will listen for data redistribution queries (default is 5007).
- If the redistribution agent is a firewall or virtual system, enter theCollector NameandCollector Pre-Shared Key.
- Select theData typethat you want to redistribute. You can select all data types, but you must select at least one of the following data types:
- IP User Mappings
- IP Tags
- User Tags
- Quarantine List
- ClickOKto save the configuration.
- Enable the Panorama MGT interface to respond to data redistribution queries from firewalls:If the Panorama management server has a high availability (HA) configuration, perform this step on each HA peer as a best practice so that redistribution continues if Panorama fails over.
- SelectUser-IDin the Network Services section and clickOK.
- Selectto activate your changes on Panorama.CommitCommit to Panorama
- Configure firewalls to receive data that Panorama redistributes.
- Selectthen select theDeviceData RedistributionAgentsTemplateto which the firewalls are assigned.
- Addan agent and enter aName.
- Select how you want to add the agent:
- Serial Number—Select theSerial Numberof the Panorama you want to use from the list:
- panorama—The active or solitary Panorama
- panorama2—(HA only) The passive Panorama
- Host and Port—Specify the following information:
- Select theHostname or IP address of the MGT interface on firewall.
- Select whether the host is anLDAP Proxy.
- Portnumber on which the firewall will listen for data redistribution queries (default is 5007).
- Collector NameandCollector Pre-Shared Key.
- Select theData typethat you want to redistribute.
- Confirm that the agent isEnabledand clickOKto save the configuration.
- Selectto activate your changes on Panorama and push the changes to the firewalls.CommitCommit and Push
- Verify that Panorama and firewalls receive redistributed data.
- View the agent statisticsand selectPanoramaData RedistributionAgentsStatusto view a summary of the activity for the redistribution agent, such as the number of mappings that the client firewall has received.
- Confirm theSource Namein the User-ID logs () to verify that the firewall receives the mappings from the redistribution agents.MonitorLogsUser-ID
- View the IP-Tag log () to confirm that the client firewall receives data.MonitorLogsIP-Tag
- Access the CLI of a firewall or Panorama management server that redistributes data.
- Display all the user mappings by running the following command:>show user ip-user-mapping all
- Record the IP address associated with any one username.
- Access the CLI of a firewall or Panorama management server that receives redistributed data.
- Display the mapping information and authentication timestamp for the<IP-address>you recorded:>show user ip-user-mapping ipIP address: 192.0.2.0 (vsys1) User: corpdomain\username1 From: UIA Idle Timeout: 10229s Max. TTL: 10229s MFA Timestamp: first(1) - 2016/12/09 08:35:04 Group(s): corpdomain\groupname(621)<IP-address>This example output shows the timestamp for a response to one authentication challenge (factor). For Authentication rules that use multi-factor authentication (MFA), the output shows multiple timestamps.
Recommended For You
Recommended videos not found.