PAN-OS ® New Features Guide
    : Streamlined and Resilient Redistribution
    Focus
    Download PDF
    Focus
    1. Home
    2. PAN-OS
    3. PAN-OS ® New Features Guide
    4. User-ID Features
    5. Streamlined and Resilient Redistribution
    Download PDF

    PAN-OS ® New Features Guide

    Streamlined and Resilient Redistribution

    Table of Contents
    End-of-Life (EoL)

    Streamlined and Resilient Redistribution

    Redistribute data by configuring the source once and selecting what type of information the source redistributes.
    Data redistribution is now more streamlined to configure and resilient after deployment. You can now configure the source once, then select the type of information you want it to redistribute and which devices should receive the redistributed information from that source, instead of configuring the source for each data type which can be time-consuming and repetitive.
    You can redistribute:
    Data redistribution uses two components:
    • The redistribution agent that provides information
    • The redistribution client that connects to the agent to receive information
    In addition, these improvements help detect and prevent loops in redistribution (where a mapping that does not contain the original source as it traverses the network returns to its source, which could potentially treat it as a new mapping).
    1. On a redistribution client firewall, configure a firewall, Windows User-ID agent, or Panorama as an agent to redistribute the data to the clients.
      1. Select DeviceData RedistributionAgents on the firewall or PanoramaData RedistributionAgents for Panorama.
      2. Add a redistribution agent.
      3. Enter a Name for the redistribution agent.
      4. Confirm that the agent is Enabled.
    2. Select whether you want to add the agent using its Serial Number or its Host and Port numbers.
      • To add an agent using a serial number, select the Serial Number of the firewall or Panorama you want to use as a redistribution agent.
      • To add an agent using its host and port numbers:
      1. Enter the Host
      2. Select whether the host is an LDAP Proxy.
      3. Enter the Port (range is 1 to 65535).
      4. (Virtual systems only) Enter the Collector Name to identify which virtual system you want to use as a redistribution agent.
      5. (Virtual systems only) Enter and confirm the Collector Pre-Shared Key for the virtual system you want to use as a redistribution agent.
    3. Select the Data type or types you want the agent to redistribute to the client.
      • IP User Mappings—IP address-to-username mappings for User-ID.
      • IP Tags—IP address-to-tag mappings for dynamic address groups.
      • User Tags—Username-to-tag mappings for dynamic user groups.
      • HIP—Host information profile (HIP) data from GlobalProtect, which includes HIP objects and profiles.
      • Quarantine List—Devices that GlobalProtect identifies as compromised.
    4. (Virtual systems only) Configure a virtual system as a collector that can redistribute data.
      Skip this step if the firewall receives but does not redistribute data.
      1. Select DeviceData RedistributionCollector Settings, then edit the Data Redistribution Agent Setup.
      2. Enter a Collector Name to identify the virtual system that you want receive redistribution information.
      3. Enter and confirm the Collector Pre-Shared Key for the virtual system that you want receive redistribution information.
      4. Click OK.
    5. (Optional but recommended) Configure which networks you want the agent or agents to include in the data redistribution and which networks you want to exclude from data redistribution.
      You can include or exclude networks and subnetworks when redistributing either IP address-to-tag mappings or IP address-to-username mappings.
      As a best practice, always specify which networks to include and exclude from redistribution to ensure that the agent is only communicating with internal resources.
      1. Select DeviceData RedistributionInclude/Exclude Networks.
      2. Add an entry and enter a Name for the entry.
      3. Ensure the entry is Enabled.
      4. Select whether you want to Include or Exclude the entry.
      5. Enter the Network Address for the entry.
      6. Click OK.
    6. (Optional but recommended) Enable Authentication with Custom Certificates for Redistribution to use a custom certificate for mutual authentication between the redistribution agents and the clients.
      Because Panorama can be either an agent or a client, use PanoramaData Redistribution to configure data redistribution on Panorama.
    7. Commit your changes.
    8. Verify the agents correctly redistribute data to the clients.
      1. View the agent statistics DeviceData RedistributionAgents and select Status to view a summary of the activity for the redistribution agent, such as the number of mappings that the client firewall has received.
      2. Confirm that the Connected status is yes.
      3. Access the CLI and enter the following CLI command on the agent to check the status of the redistribution: show redistribution service status.
      4. Enter the following CLI command on the client to check the status of the redistribution: show redistribution service client all.
      5. Confirm the Source Name in the User-ID logs (MonitorLogsUser-ID) to verify that the firewall receives the mappings from the redistribution agents.
      6. On the client firewall, view the IP-Tag log (MonitorLogsIP-Tag) to confirm that the client firewall receives data.
      7. Enter the following CLI command and verify that the source the firewall receives the mappings From is REDIST: show user ip-user-mapping all.
      8. Enter the following CLI command to view the redistribution clients: show redistribution service client all.
    9. (Optional) To troubleshoot data redistribution, enable the traceroute option.
      When you enable the traceroute option, the firewall that receives the data appends its IP address to the <route> field, which is a list of all firewall IP addresses that the data has traversed. This option requires that all PAN-OS devices in the redistribution route use PAN-OS version 10.0. If a PAN-OS device in the redistribution route uses PAN-OS 9.1.x or earlier versions, the traceroute information terminates at that device.
      1. On the redistribution agent where the source originates, enter the following CLI command: debug user-id test cp-login traceroute yes ip-address <ip-address> user <username> (where <ip-address> is the IP address of the IP address-to-username mapping you want to verify and <username> is the username of the IP address-to-username mapping you want to verify.
      2. On a client of the firewall where you configured the traceroute, verify the firewall redistributes the data bidirectionally by entering the following CLI command: show user ip-user-mapping all.
        The firewall displays the timestamp for the creation of the mapping (SeqNumber) and whether the user has GlobalProtect (GP User).
        admin > show user ip-user-mapping-mp ip 192.0.2.0

IP address: 	192.0.2.0 (vsys1)
User: 			jimdoe
From:			REDIST
Timeout:		889s
Created:		11s ago
Origin:			198.51.100.0
SeqNumber:		15895329682-67831262
GP User:		No
Local HIP:		No
Route Node 0:	198.51.100.0 (vsys1)
Route Node 1:	198.51.100.1 (vsys1)

    © 2024 Palo Alto Networks, Inc. All rights reserved.