Configure Firewalls to Redistribute User Mapping Information
Every firewall that enforces user-based policy requires user mapping information. However, a large-scale network where numerous firewalls directly query the mapping information sources requires both the firewalls and sources to use considerable resources. To improve resource efficiency, you can configure some firewalls to acquire mapping information through redistribution instead of direct querying. Redistribution also enables the firewalls to enforce user-based policies when users rely on local sources for authentication (for example, regional directory services) but need access to remote resources (for example, global data center applications).
Firewall Deployment for User-ID Redistribution
You can organize the redistribution sequence in layers, where each layer has one or more firewalls. In the bottom layer, PAN-OS integrated User-ID agents running on firewalls and Windows-based User-ID agents running on Windows servers perform the IP address-to-username mapping. Each higher layer has firewalls that receive the mapping information from up to 100 User-ID agents in the layer beneath it. The top-layer firewalls aggregate the mapping information from all layers. This deployment provides the option to configure global policies for all users (in top-layer firewalls) and region- or function-specific policies for a subset of users in the corresponding domains (in lower-layer firewalls).
Figure: User-ID-Redistribution shows a deployment with three layers of firewalls that redistribute mapping information from local information sources (directory servers, in this example) to regional offices and then to a global data center. The data center firewall that aggregates all the mapping information shares it with other data center firewalls so that they can all enforce global policy. Only the bottom layer firewalls use PAN-OS integrated User-ID agents and Windows-based User-ID agents to query the directory servers.
The information sources from which User-ID agents collect mapping information do not count towards the maximum of ten hops in the sequence. However, Windows-based User-ID agents that forward mapping information to firewalls do count. Therefore, in this example, redistribution from the European region to all the data center firewalls requires only three hops, while redistribution from the North American region requires four hops. Also in this example, the top layer has two hops: the first to aggregate mapping information in one data center firewall and the second to share the information with other data center firewalls.
Figure: User-ID-Redistribution
Configure User-ID Redistribution
Configure User-ID Redistribution
Plan the redistribution architecture. Decide which User-ID agents and methods to use for mapping IP addresses to usernames. You can redistribute user mapping information collected through any method except Terminal Services (TS) agents. You cannot redistribute Group Mapping or HIP match information. Determine the most efficient Firewall Deployment for User-ID Redistribution. Some factors to consider are: Which firewalls will enforce global policies for all users and which firewalls will enforce region- or function-specific policies for a subset of users? How many hops does the redistribution sequence require to aggregate mapping information for firewalls in different functional or regional layers to enforce policy? How can you minimize the number of firewalls that query the information sources? The fewer the number of querying firewalls, the lower the processing load is on both the firewalls and sources.
Configure the User-ID agents to perform the user mapping. Configure User Mapping Using the PAN-OS Integrated User-ID Agent. Configure User Mapping Using the Windows User-ID Agent.
Enable each bottom-layer firewall to forward mapping information to firewalls in the layer above. Configure the firewall to function as a User-ID agent. Select Device > User Identification > User Mapping. ( Firewalls with multiple virtual systems only ) Select the Location. You must configure the User-ID settings for each virtual system. You can redistribute mapping information among virtual systems on different firewalls or on the same firewall. In both cases, each virtual system counts as one hop in the redistribution sequence. Edit the Palo Alto Networks User-ID Agent Setup and select Redistribution. Enter a Collector Name to identify this firewall as a User-ID agent. Enter and confirm a Pre-Shared Key to secure communication between this firewall and the higher-layer firewalls. On a multi-vsys firewall, each vsys requires a unique pre-shared key. Click OK. Configure an Interface Management profile with the User-ID service enabled and assign the profile to the interface you want the firewall to use when responding to mapping information queries from firewalls in the layer above. ( Optional ) Configure policies that are specific to the user accounts for which you want this firewall to collect mapping information. Commit your changes.
Enable each middle layer firewall to receive mapping information from the layer below and forward it to the layer above. You must also perform this task for any firewall that redistributes mapping information to other firewalls in the same layer. For example, Figure: User-ID-Redistribution shows one data center firewall that redistributes to other data center firewalls. Each firewall can receive mapping information from up to 100 User-ID agents. Figure: User-ID-Redistribution shows only one middle layer of firewalls but you can deploy as many layers as the redistribution limit of ten hops allows. Configure the firewall to receive mapping information from firewalls acting as User-ID agents in the layer below. Select Device > User Identification > User-ID Agents and click Add. Enter a Name to identify the lower-layer firewall. Enter the Host name or IP address of the interface that you configured on the lower-layer firewall to respond to mapping information queries. Enter the Port number (default is 5007) on which the lower-layer firewall will listen for User-ID queries. Enter the Collector Name you specified when configuring the lower-layer firewall to act as a User-ID agent. Enter and confirm the Collector Pre-Shared Key you specified on the lower-layer firewall. Ensure the configuration is Enabled (default) and click OK. Check the Connected column to confirm the firewall you just added as a User-ID agent is connected ( ). Configure a service route for the firewall to use for sending mapping information queries to firewalls in the layer below. Select Device > Setup > Services. ( Firewalls with multiple virtual systems only ) Select Global (for a firewall-wide service route) or Virtual Systems (for a virtual system-specific service route). For details, refer to Customize Service Routes to Services for Virtual Systems. Click Service Route Configuration, select Customize, and select IPv4 or IPv6 depending on your network protocols. Configure the service route for both protocols if your network uses both. Select UID Agent and then select the Source Interface and Source Address. Click OK twice to save the service route. Enable the firewall to forward the mapping information to firewalls in the layer above. Configure the firewall to function as a User-ID agent. Configure an Interface Management profile with the User-ID service enabled and assign the profile to the interface you want the firewall to use when responding to mapping information queries from firewalls in the layer above. ( Optional ) Configure policies specific to user accounts for which you want this firewall to aggregate mapping information from lower layers. Commit your changes.
Enable each top-layer firewall to receive mapping information from all other layers. You must also perform this task for any firewall that is an end point in the redistribution sequence within a layer. In the example of Figure: User-ID-Redistribution, you would perform this task for the two data center firewalls that receive mapping information from another data center firewall. Configure the firewall to receive mapping information from firewalls acting as User-ID agents in the layer below. Configure a service route for the firewall to use for sending mapping information queries to firewalls in the layer below. ( Optional ) Configure policies that are global to all user accounts. Commit your changes.
Verify that the top-layer firewalls are aggregating mapping information from all other layers. This step samples a single user mapping that is collected in a bottom-layer firewall and forwarded to a top-layer firewall. Repeat the step for several user mappings and several firewalls to ensure your configuration is successful. Access the CLI of a bottom-layer firewall and run the following operational command: > show user ip-user-mapping all Record the IP address associated with any username. Access the CLI of a top-layer firewall and run the following command, where <address> is the IP address you recorded in the previous step: > show user ip-user-mapping ip <address> If the firewall successfully received the user mapping from the bottom-layer firewall, it displays output similar to the following and displays the same username as you recorded in the bottom-layer firewall. IP address: 192.0.2.0 (vsys1) User: corpdomain\username1 From: AD Idle Timeout: 2643s Max. TTL: 2643s Groups that the user belongs to (used in policy)

Related Documentation