Redistribute User-ID Information to Managed Firewalls

To ensure all the firewalls that enforce policies and generate reports have the required IP address-to-username mappings and authentication timestamps for your entire user base, you can leverage your Panorama and distributed log collection infrastructure to redistribute the mappings and timestamps.
Before you configure User-ID Redistribution Using Panorama and Log Collectors:
  • Configure a Dedicated Log Collector to redistribute User-ID information.
    A Log Collector that is local to the Panorama management server does not redistribute User-ID information.
    1. Add Panorama, firewalls, or virtual systems as User-ID redistribution points to a Log Collector:
      1. Select
        Panorama
        Managed Collectors
        and select the Log Collector to edit it.
      2. Select
        User-ID Agents
        and
        Add
        a redistribution point.
        1. Enter a
          Name
          to identify the redistribution point.
        2. Enter the
          Host
          name or IP address of the interface on the firewall or Panorama that will respond to User-ID information queries from the Log Collector.
        3. Enter the
          Port
          number on which Panorama or the firewall will listen for User-ID information queries (default is 5007).
        4. If the redistribution point is a firewall or virtual system, enter the
          Collector Name
          and
          Collector Pre-Shared Key
          .
          In this context, the collector is a User-ID collector, not a Log Collector.
        5. Click
          OK
          to save your changes.
    2. Enable the management (MGT) interface of the Log Collector to respond to User-ID information queries from Panorama or firewalls:
      1. Select
        Panorama
        Managed Collectors
        and select the Log Collector to edit it.
      2. Select
        Interfaces
        and
        Management
        .
      3. Select
        User-ID
        in the Network Connectivity Services section and click
        OK
        .
    3. Click
      OK
      to save your changes to the Log Collector.
    4. Select
      Commit
      Commit and Push
      to activate your changes on Panorama and push the changes to the Log Collector.
  • Configure the Panorama management server to redistribute User-ID information.
    1. Add Log Collectors, firewalls, or virtual systems as redistribution points to Panorama:
      1. Select
        Panorama
        User Identification
        and
        Add
        each redistribution point.
      2. Enter a
        Name
        to identify the redistribution point.
      3. Enter the
        Host
        name or IP address of the MGT interface on the Log Collector or firewall.
      4. Enter the
        Port
        number on which the Log Collector or firewall will listen for User-ID information queries (default is 5007).
      5. If the redistribution point is a firewall or virtual system, enter the
        Collector Name
        and
        Collector Pre-Shared Key
        .
      6. Click
        OK
        to save the configuration.
    2. Enable the Panorama MGT interface to respond to User-ID information queries from Log Collectors or firewalls:
      If the Panorama management server has a high availability (HA) configuration, perform this step on each HA peer as a best practice so that redistribution continues if Panorama fails over.
      1. Select
        Panorama
        Setup
        Interfaces
        and
        Management
        .
      2. Select
        User-ID
        in the Network Connectivity Services section and click
        OK
        .
    3. Select
      Commit
      Commit to Panorama
      to activate your changes on Panorama.
  • Configure firewalls to receive User-ID information from Panorama or Log Collectors.
    If you are using Panorama to manage both your firewall and the Dedicated Log Collector (DLC), and you want to configure the firewall to receive User-ID information from Panorama or the log collectors, add the User-ID agent using the serial number to the Panorama template, then push the template to the firewall. If you add the User-ID agent on the firewall using the serial number, you will only see Panorama and not the DLC, and you will need to add the DLC to the firewall using the host and port number.
    1. Select
      Device
      User Identification
      User-ID Agents
      , select the
      Template
      to which the firewalls are assigned, and
      Add
      one of the following as a redistribution point:
      • Panorama
        Add an Agent Using
        the
        Serial Number
        , and set the
        Serial Number
        to
        panorama
        for the active or solitary Panorama or to
        panorama2
        (HA only) for the passive Panorama.
      • Log Collector
        Add an Agent Using
        the
        Host and Port
        . Enter the
        Host
        name or IP address of the MGT interface on the Log Collector. Then enter the
        Port
        number on which the Log Collector listens for User-ID information queries (default is 5007).
    2. Click
      OK
      to save the configuration.
    3. Select
      Commit
      Commit and Push
      to activate your changes on Panorama and push the changes to the firewalls.
  • Verify that Panorama, Log Collectors, and firewalls receive redistributed user mappings.
    1. Access the CLI of a firewall, Log Collector, or Panorama management server that redistributes User-ID information.
    2. Display all the user mappings by running the following command:
      >
      show user ip-user-mapping all
    3. Record the IP address associated with any one username.
    4. Access the CLI of a firewall, Log Collector, or Panorama management server that receives redistributed User-ID information.
    5. Display the mapping information and authentication timestamp for the
      <IP-address>
      you recorded:
      >
      show user ip-user-mapping ip
      <IP-address>
      IP address:    192.0.2.0 (vsys1) User:          corpdomain\username1 From:          UIA Idle Timeout:  10229s Max. TTL:      10229s MFA Timestamp: first(1) - 2016/12/09 08:35:04 Group(s): corpdomain\groupname(621)
      This example output shows the timestamp for a response to one authentication challenge (factor). For Authentication rules that use multi-factor authentication (MFA), the output shows multiple timestamps.

Related Documentation