Configure Access to User-ID Agents
Table of Contents
Configure Access to User-ID Agents
Each firewall and Panorama management server can connect
to a maximum of 100 User-ID agents or User-ID redistribution points
(or a mixture of both). To add a connection, click Add and
complete the following fields.
User-ID Agent Settings | Description |
|---|---|
Name | Enter a descriptive name (up to 31 characters)
for the User-ID agent or redistribution point. The name is case-sensitive
and must be unique. Use only letters, numbers, spaces, hyphens,
and underscores. For a firewall or virtual system serving
as a redistribution point, this field does not have to match the Collector
Name field. |
Add an Agent Using (Firewall only) | Select how the firewall identifies the User-ID
agent or redistribution point:
|
Serial Number (Firewall only) | Select the Panorama management server that
redistributes user mappings to the firewall. For high availability
(HA) deployments, you can select the active Panorama (panorama)
or the passive Panorama (panorama2). You
do not need to specify the host, port, or other connection information
because you defined these during initial configuration of the firewall. |
Host |
|
Port | Enter the port number on which the User-ID
agent listens for User-ID requests. The default is 5007 but you
can specify any available port and different User-ID agents can
use different ports. The default port for some earlier
versions of the User-ID agent is 2010. |
Collector Name | Enter the Collector
Name and Pre-Shared Key that
identify the firewall or virtual system as a User-ID agent. Enter
the same values as when you configured the firewall or virtual system
to redistribute user mappings (see Redistribution). The
collector these fields refer to is the User-ID agent, not a Log
Collector, and the fields are configurable only when the agent is
a firewall or virtual system. |
Collector Pre-shared Key / Confirm Collector Pre-shared key | |
Use as LDAP Proxy (Firewall only) | Select this option to use this User-ID agent
as a proxy for monitoring the directory server to map usernames
to groups. To use this option, you must configure group mapping
on the firewall (Device
> User Identification > Group Mapping Settings). The firewall
pushes that configuration to the User-ID agent to enable it to map
usernames to groups. This option is useful in deployments
where the firewall cannot directly access the directory server.
It is also useful in deployments that benefit from reducing the
number of queries the directory server must process; multiple firewalls
can receive the group mapping information from the cache on a single User-ID
agent instead of requiring each firewall to query the server directly. |
Use for NTLM Authentication (Firewall only) | Select this option to use this User-ID agent
as a proxy for performing NT LAN Manager (NTLM) authentication 
This option is
useful in deployments where the firewall cannot directly access
the domain controller to perform NTLM authentication. It is also
useful in deployments that benefit from reducing the number of authentication requests
the domain controller must process; multiple firewalls can receive
the user mapping information from the cache on a single User-ID
agent instead of requiring each firewall to query the domain controller
directly. Configure Authentication
rules to use Kerberos single sign-on
|
Enabled | Select this option to enable
the firewall or Panorama to communicate with the User-ID agent or
redistribution point. |
HIP Report | Select this option to enable this firewall
to receive HIP reports from other firewalls that are configured
as User-ID agents (including GlobalProtect gateways, Distributed
Log Collectors (DLCs), firewalls, and Panorama). The firewall can
then use the information in the HIP reports for HIP-based policy enforcement. |