Configure Access to User-ID Agents
Table of Contents
9.1 (EoL)
Expand all | Collapse all
-
- Objects > Addresses
- Objects > Address Groups
- Objects > Regions
- Objects > Dynamic User Groups
- Objects > Application Groups
- Objects > Application Filters
- Objects > Services
- Objects > Service Groups
- Objects > External Dynamic Lists
- Objects > Custom Objects > Spyware/Vulnerability
- Objects > Custom Objects > URL Category
- Objects > Security Profiles > Antivirus
- Objects > Security Profiles > Anti-Spyware Profile
- Objects > Security Profiles > Vulnerability Protection
- Objects > Security Profiles > File Blocking
- Objects > Security Profiles > WildFire Analysis
- Objects > Security Profiles > Data Filtering
- Objects > Security Profiles > DoS Protection
- Objects > Security Profiles > GTP Protection
- Objects > Security Profiles > SCTP Protection
- Objects > Security Profile Groups
- Objects > Log Forwarding
- Objects > Authentication
- Objects > Decryption > Forwarding Profile
- Objects > Schedules
-
-
- Firewall Interfaces Overview
- Common Building Blocks for Firewall Interfaces
- Common Building Blocks for PA-7000 Series Firewall Interfaces
- Tap Interface
- HA Interface
- Virtual Wire Interface
- Virtual Wire Subinterface
- PA-7000 Series Layer 2 Interface
- PA-7000 Series Layer 2 Subinterface
- PA-7000 Series Layer 3 Interface
- Layer 3 Interface
- Layer 3 Subinterface
- Log Card Interface
- Log Card Subinterface
- Decrypt Mirror Interface
- Aggregate Ethernet (AE) Interface Group
- Aggregate Ethernet (AE) Interface
- Network > Interfaces > VLAN
- Network > Interfaces > Loopback
- Network > Interfaces > Tunnel
- Network > Interfaces > SD-WAN
- Network > VLANs
- Network > Virtual Wires
-
- Network > Network Profiles > GlobalProtect IPSec Crypto
- Network > Network Profiles > IPSec Crypto
- Network > Network Profiles > IKE Crypto
- Network > Network Profiles > Monitor
- Network > Network Profiles > Interface Mgmt
- Network > Network Profiles > QoS
- Network > Network Profiles > LLDP Profile
- Network > Network Profiles > SD-WAN Interface Profile
-
-
- Device > Setup
- Device > Setup > Management
- Device > Setup > Interfaces
- Device > Setup > Telemetry
- Device > Setup > Content-ID
- Device > Setup > WildFire
- Device > Log Forwarding Card
- Device > Config Audit
- Device > Administrators
- Device > Admin Roles
- Device > Access Domain
- Device > Authentication Sequence
-
- Security Policy Match
- QoS Policy Match
- Authentication Policy Match
- Decryption/SSL Policy Match
- NAT Policy Match
- Policy Based Forwarding Policy Match
- DoS Policy Match
- Routing
- Test Wildfire
- Threat Vault
- Ping
- Trace Route
- Log Collector Connectivity
- External Dynamic List
- Update Server
- Test Cloud Logging Service Status
- Test Cloud GP Service Status
- Device > Virtual Systems
- Device > Shared Gateways
- Device > Certificate Management
- Device > Certificate Management > Certificate Profile
- Device > Certificate Management > OCSP Responder
- Device > Certificate Management > SSL/TLS Service Profile
- Device > Certificate Management > SCEP
- Device > Certificate Management > SSL Decryption Exclusion
- Device > Response Pages
- Device > Server Profiles
- Device > Server Profiles > SNMP Trap
- Device > Server Profiles > Syslog
- Device > Server Profiles > Email
- Device > Server Profiles > HTTP
- Device > Server Profiles > NetFlow
- Device > Server Profiles > RADIUS
- Device > Server Profiles > TACACS+
- Device > Server Profiles > LDAP
- Device > Server Profiles > Kerberos
- Device > Server Profiles > SAML Identity Provider
- Device > Server Profiles > DNS
- Device > Server Profiles > Multi Factor Authentication
- Device > Local User Database > Users
- Device > Local User Database > User Groups
- Device > Scheduled Log Export
- Device > Software
- Device > Dynamic Updates
- Device > Licenses
- Device > Support
-
- Network > GlobalProtect > MDM
- Network > GlobalProtect > Device Block List
- Network > GlobalProtect > Clientless Apps
- Network > GlobalProtect > Clientless App Groups
- Objects > GlobalProtect > HIP Profiles
-
- Use the Panorama Web Interface
- Context Switch
- Panorama Commit Operations
- Defining Policies on Panorama
- Log Storage Partitions for a Panorama Virtual Appliance in Legacy Mode
- Panorama > Setup > Interfaces
- Panorama > High Availability
- Panorama > Administrators
- Panorama > Admin Roles
- Panorama > Access Domains
- Panorama > Device Groups
- Panorama > Plugins
- Panorama > Log Ingestion Profile
- Panorama > Log Settings
- Panorama > Scheduled Config Export
End-of-Life (EoL)
Configure Access to User-ID Agents
Each firewall and Panorama management server can connect
to a maximum of 100 User-ID agents or User-ID redistribution points
(or a mixture of both). To add a connection, click Add and
complete the following fields.
User-ID Agent Settings | Description |
---|---|
Name | Enter a descriptive name (up to 31 characters)
for the User-ID agent or redistribution point. The name is case-sensitive
and must be unique. Use only letters, numbers, spaces, hyphens,
and underscores. For a firewall or virtual system serving
as a redistribution point, this field does not have to match the Collector
Name field. |
Add an Agent Using (Firewall only) | Select how the firewall identifies the User-ID
agent or redistribution point:
|
Serial Number (Firewall only) | Select the Panorama management server that
redistributes user mappings to the firewall. For high availability
(HA) deployments, you can select the active Panorama (panorama)
or the passive Panorama (panorama2). You
do not need to specify the host, port, or other connection information
because you defined these during initial configuration of the firewall. |
Host |
|
Port | Enter the port number on which the User-ID
agent listens for User-ID requests. The default is 5007 but you
can specify any available port and different User-ID agents can
use different ports. The default port for some earlier
versions of the User-ID agent is 2010. |
Collector Name | Enter the Collector
Name and Pre-Shared Key that
identify the firewall or virtual system as a User-ID agent. Enter
the same values as when you configured the firewall or virtual system
to redistribute user mappings (see Redistribution). The
collector these fields refer to is the User-ID agent, not a Log
Collector, and the fields are configurable only when the agent is
a firewall or virtual system. |
Collector Pre-shared Key / Confirm Collector Pre-shared key | |
Use as LDAP Proxy (Firewall only) | Select this option to use this User-ID agent
as a proxy for monitoring the directory server to map usernames
to groups. To use this option, you must configure group mapping
on the firewall (Device
> User Identification > Group Mapping Settings). The firewall
pushes that configuration to the User-ID agent to enable it to map
usernames to groups. This option is useful in deployments
where the firewall cannot directly access the directory server.
It is also useful in deployments that benefit from reducing the
number of queries the directory server must process; multiple firewalls
can receive the group mapping information from the cache on a single User-ID
agent instead of requiring each firewall to query the server directly. |
Use for NTLM Authentication (Firewall only) | Select this option to use this User-ID agent
as a proxy for performing NT LAN Manager (NTLM) authentication This option is
useful in deployments where the firewall cannot directly access
the domain controller to perform NTLM authentication. It is also
useful in deployments that benefit from reducing the number of authentication requests
the domain controller must process; multiple firewalls can receive
the user mapping information from the cache on a single User-ID
agent instead of requiring each firewall to query the domain controller
directly. Configure Authentication
rules to use Kerberos single sign-on |
Enabled | Select this option to enable
the firewall or Panorama to communicate with the User-ID agent or
redistribution point. |
HIP Report | Select this option to enable this firewall
to receive HIP reports from other firewalls that are configured
as User-ID agents (including GlobalProtect gateways, Distributed
Log Collectors (DLCs), firewalls, and Panorama). The firewall can
then use the information in the HIP reports for HIP-based policy enforcement. |