Manage: Identity Redistribution
Focus
Focus
Strata Cloud Manager

Manage: Identity Redistribution

Table of Contents

Manage: Identity Redistribution

Use Strata Cloud Manager to set up and manage identity redistribution for NGFWs and Prisma Access.
Where Can I Use This?What Do I Need?
  • Prisma Access (Managed by Panorama or Strata Cloud Manager)
  • NGFW, including those funded by Software NGFW Credits
Each of these licenses include access to Strata Cloud Manager:
→ The features and capabilities available to you in Strata Cloud Manager depend on which license(s) you are using.
Use Strata Cloud Manager to set up and manage identity redistribution for NGFWs and Prisma Access.

Identity Redistribution (Prisma Access)

So that you can enforce your security policy consistently, Prisma Access shares identity data that GlobalProtect discovers locally across your entire Prisma Access environment.
So that you can enforce your security policy consistently, Prisma Access shares identity data that GlobalProtect discovers locally across your entire Prisma Access environment. Prisma Access can also share identity data with on-premises devices at remote network sites or service connection sites (HQ and data centers).
For Prisma Access Cloud Management, we’ve enabled some identity data redistribution by default, and for what’s left, we’ve made the configuration to enable redistribution very simple (just select a checkbox to select what data you want to share).
From the Identity Distribution dashboard, you can see how identity data is being shared and manage data redistribution (ManageConfigurationIdentity ServicesIdentity Redistribution.
Identity data that you can redistribute includes:
  • HIP data
  • IP-address-to-tag mappings
  • IP-address-to-user mappings
  • User-to-tag mappings
  • Quarantined devices
Get started with identity redistribution:

How Identity Redistribution Works

For mobile users to access a resource at a remote network location or HQ/data center that’s secured by a device with user-based policies, you must redistribute the identity data from the Prisma Access mobile users and users at remote networks to that on-premises device.
When the users connect to Prisma Access, Prisma Access collects the user’s identity data and stores it.
The following example shows two mobile users that have an existing IP address-to-username mapping in Prisma Access. Prisma Access then redistributes this mapping by way of a service connection to the on-premises devices that’s securing the HQ/data center.
Prisma Access Cloud Management automatically enables service connections to work as identity redistribution agents (also called User-ID agents).

Set Up Identity Redistribution

  • Confirm Your Service Connection Setup
    If you haven’t yet set up a service connection for your HQ or data centers, begin by configuring a service connection. A service connection is required for Prisma Access to share identity data across your environment; Prisma Access automatically enables service connections to work as redistribution agents. A newly-created service connection site will be ready to be used as a redistribution agent when you see that it's been assigned a User-ID Agent Address (Prisma Access does this automatically, and it'll just take a few minutes). Go to ManageConfigurationIdentity ServicesIdentity Redistribution and set the configuration scope to Service Connections to verify the service connection User-ID agent details.
  • Send Identity Data from Prisma Access to On-Premises Devices
    The service connection’s User-ID agent information is all you need to configure Prisma Access to distribute identity data to on-premises devices.
    Go to ManageConfigurationIdentity ServicesIdentity Redistribution and set the configuration scope to Service Connections to get the service connection User-ID agent details.
    Use these details to configure Prisma Access as a data redistribution agent on Panorama or a next-gen firewall.
  • Send Identity Data from On-Premises Devices to Prisma Access
    Add on-premises devices to Prisma Access as redistribution agents; the devices you add will be able to distribute identity data to Prisma Access.
    • From devices at remote network sites:
      Go to the Identity Redistribution dashboard, set the configuration scope to Remote Networks, and Add Agent. In addition to specifying the host details, select the type of data the device shares with Prisma Access. Optional settings include the name and a pre-shared key for the device.
    • From devices at service connection sites:
      Go to the Identity Redistribution dashboard, set the configuration scope to Service Connections, and Add Agent. In addition to specifying the host details, select the type of data the device shares with Prisma Access. Optional settings include the name and a pre-shared key for the device.
  • Configure the Terminal Server Agent for User Mapping
    The Terminal Server (TS) Agent allocates a port range to each user to identify specific users on Windows-based terminal servers. The TS Agent notifies Prisma Access of the allocated port ranges, so that Prisma Access can enforce policy based on users and user groups.
    On the Identity Redistribution dashboard, set the configuration scope to Remote Networks, and Add Terminal Server Agent under Terminal Server Sending to Remote Networks Nodes.
    • By default, the configuration is Enabled.
    • Enter a Name for the TS Agent.
    • Enter the IP address of the Windows Host on which the TS Agent is installed.
    • Enter the Port number on which the agent listens for user mapping requests. The port is set to 5009 by default.
    • Save your changes.
  • Distribute Identity Data Across Your Prisma Access Environment
    On the Identity Redistribution dashboard, Edit the diagram to specify the identity data you want to collect from each source and share across Prisma Access.
  • To activate your changes, push the configuration to Prisma Access.

Identity Redistribution (NGFW)

Streamline resource usage by configuring firewalls to collect mapping information from redistribution.
In a large-scale network, instead of configuring all your firewalls directly to query the mapping information sources, you can streamline resource usage by configuring some firewalls to collect mapping information through redistribution. Data redistribution also provides granularity, allowing you to redistribute only the types of information you specify to only the devices you select. You can also filter the IP user mappings or IP tag mappings using subnets and ranges to ensure the firewalls collect only the mappings they need to enforce policy rules.
To redistribute the data, you can use the following architecture types:
  • Hub and spoke architecture for a single region:
    To redistribute data between firewalls, use a hub and spoke architecture as a best practice. In this configuration, a hub firewall collects the data from sources such as Windows User-ID agents, syslog servers, Domain Controllers, or other firewalls. Configure the redistribution client firewalls to collect the data from the hub firewall.
  • Multi-Hub and spoke architecture for multiple regions:
    If you have firewalls deployed in multiple regions and want to distribute the data to the firewalls in all of these regions so that you can enforce policy rules consistently regardless of where the user logs in, you can use a multihub and spoke architecture for multiple regions.
  • Hierarchical architecture:
    To redistribute data, you can also use a hierarchical architecture. For example, to redistribute data such as User-ID information, organize the redistribution sequence in layers, where each layer has one or more firewalls. In the bottom layer, PAN-OS integrated User-ID agents running on firewalls and Windows-based User-ID agents running on Windows servers map IP addresses to usernames. Each higher layer has firewalls that receive the mapping information and authentication timestamps from up to 100 redistribution points in the layer beneath it. The top-layer firewalls aggregate the mappings and timestamps from all layers. This deployment provides the option to configure policy rules for all users in top-layer firewalls and region- or function-specific policy rules for a subset of users in the corresponding domains served by lower-layer firewalls.
When traffic isn’t being enforced as expected, use Troubleshooting to check the dataplane status of specific firewalls to understand whether there’s a mismatch between expected policies (as configured) and enforced policies.
  1. Log in to Strata Cloud Manager.
  2. Ensure your Strata Cloud Manager deployment meets the requirements to configure identity redistribution.
    1. Configure and activate the Cloud Identity Engine (CIE) for your Strata Cloud Manager tenant.
      This is required to use identity redistribution.
      1. Set Up the Cloud Identity Engine.
    2. Select ManageConfigurationNGFW and Prisma AccessObjectsAddress Groups and Add a Dynamic Address Group with the required IP address-to-tag mappings.
      For the address group Type, select Dynamic. Configure the Dynamic Address Group as needed and Save.
    3. Select ManageConfigurationNGFW and Prisma AccessObjectsDynamic User Groups and Add a Dynamic User Group with the required username-to-tag mappings.
      Configure the Dynamic User Group as needed and Save.
  3. Select ManageConfigurationNGFW and Prisma AccessIdentity ServicesIdentity Redistribution and select the Configuration Scope where you want to configure identity redistribution.
    You can select a folder or firewall from your Folders or select Snippets to configure identity redistribution in a snippet.
  4. Add Agent.
  5. Enter a descriptive Name for the agent.
  6. Enter the Host IP address.
  7. Enter the Port (range is 1-65535).
  8. Select the Data Type Mapping.
    • IP to User—IP address-to-username mappings for User-ID.
    • Host Information Profile (HIP)—IP address-to-tag mappings for Dynamic Address Groups.
    • IP to Tag—Username-to-tag mappings for Dynamic User Groups.
    • User to Tag—HIP data from GlobalProtect, which includes HIP objects and profiles.
    • Quarantined Device List—Devices that GlobalProtect identifies as quarantined.
  9. Save.
  10. (Cloud Management of NGFW only) Enable identity redistribution for firewalls.
    1. Select ManageConfigurationNGFW and Prisma AccessDevice SettingsDevice SetupManagement and select Customize to configure a service route for the uid-agent service.
      Select the Configuration Scope where you want to create the service route. You can select a folder or firewall from your Folders or select Snippets to configure the service route in a snippet.
    2. Enable the firewall to respond when other firewalls query it for data to redistribute.
      1. Select ManageConfigurationNGFW and Prisma AccessDevice SettingsDevice SetupManagement and enable the User-ID network service.
      2. Select ManageConfigurationNGFW and Prisma AccessDevice SettingsInterfaces to create or select a Layer 3 interface.
        Expand the Advanced Settings. In Other, create or edit the Management Profile to enable User-ID.
      • Select